{
	"id": "2db9d6ee-12ed-471e-b366-a3f69cb5a616",
	"created_at": "2026-04-06T00:19:21.240358Z",
	"updated_at": "2026-04-10T13:12:20.96734Z",
	"deleted_at": null,
	"sha1_hash": "aea519c7e52e399990c8f1c775c5d47e11c4f93f",
	"title": "New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3401280,
	"plain_text": "New SolarMarker (Jupyter) Campaign Demonstrates the\r\nMalware’s Changing Attack Patterns\r\nBy Shimi Cohen, Inbal Shalev, Irena Damsky\r\nPublished: 2022-04-09 · Archived: 2026-04-05 20:44:16 UTC\r\nExecutive Summary\r\nRecently, we've identified a new version of SolarMarker, a malware family known for its infostealing and\r\nbackdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users\r\nto download malicious documents.\r\nSome of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card\r\ninformation from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional\r\ncapabilities such as file transfer and execution of commands received from a C2 server.\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge\r\nfiles, impersonation of legitimate software installations and obfuscated PowerShell scripts.\r\nThis malware has been prevalent since September 2020 targeting U.S. organizations, and part of the infrastructure\r\nis still active as of 2022 in addition to a new infrastructure that attackers have recently deployed.\r\nHere, we dive into the technical details of the newly identified SolarMarker activity – specifically, how this\r\nmalware often changes and modifies its attack patterns. For example, the recent version demonstrated an evolution\r\nfrom Windows Portable Executables (EXE files) to working with Windows installer package files (MSI files).\r\nAccording to the evidence we have, this campaign is still in development and going back to using executables\r\nfiles (EXE) as it did in its earlier versions.\r\nPalo Alto Networks customers received protections against the newly discovered campaigns through Cortex XDR\r\nand WildFire.\r\nRelated malware names SolarMarker, Jupyter, Yellow Cockatoo, Polazert\r\nRelated Unit 42 topics infostealer, backdoor\r\nInfection Vector\r\nSolarMarker is multi-stage malware. The attackers use obfuscated PowerShell scripts to deploy their attack and\r\nstay under the radar.\r\nThe primary infection vector of SolarMarker is SEO poisoning, which is an attack method in which threat actors\r\ncreate malicious websites packed with keywords and use search engine optimization techniques to make them\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 1 of 12\n\nshow up prominently in search results.\r\nDeployment of SolarMarker Infrastructure on a Victim Machine\r\nThe initial stage is an EXE file larger than 250MB (the large file size helps to avoid inspection by an automated\r\nsandbox or an AV engine). In this case, the file we analyzed was called setup.exe. based on the sample compilation\r\ndate in February 2022, the demonstrated artifacts belong to a new development in the malware lifecycle.\r\nFigure 1. Dropper file properties.\r\nFigure 2. The file is signed with valid digital certificates to further hide from detection. We assume\r\na stolen code-signing cert from a legitimate company was used to sign SolarMarker – but at the time\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 2 of 12\n\nof writing, the certificate chain has been revoked.\r\nThis file is a .NET-compiled dropper that will drop and execute an installer of a legitimate program to avoid\r\nraising the user’s suspicion toward the downloaded binary.\r\nFigure 3. Legitimate PDF Merge installer.\r\nFigure 4. The name of the legitimate dropped installer file is the same as the first stage file with the\r\n”_install” suffix. (setup_install.exe)\r\nIn parallel, the malware runs a PowerShell loader in a new thread to load and execute the SolarMarker backdoor\r\npayload.\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 3 of 12\n\nWe can see the loaded script decoded by debugging the PowerShell invoke function.\r\nLet's take a look at the script.\r\nFigure 5. Obfuscated PowerShell script.\r\nFigure 6. To improve the readability of this PowerShell loader script, we removed various types of\r\nobfuscation and added comments.\r\nMain Sections of the PowerShell Script\r\nshowWindowAsync makes PowerShell windows hidden to conceal malicious activity from the plain sight\r\nof users.\r\nWrites the encrypted base64 payload of the SolarMarker backdoor to file with random extension into the\r\nTEMP folder.\r\nAchieves persistence using the lnk file in the startup folder. The target file of the lnk is the encrypted\r\nbase64 payload of the SolarMarker backdoor with the random extension. (This file cannot be run directly).\r\nIn Windows environments, every file extension is associated with a default program. The associations of\r\nextensions with programs are handled through the registry. SolarMarker sets a handler to the custom\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 4 of 12\n\nrandom extension to run the encrypted payload. This handler is a PowerShell script that decrypts the\r\npayload and loads the bytes of the encrypted payload (backdoor) into memory.\r\nThe attacker avoids downloading the assembly to disk and subverts it using the ”Load” method, which accepts a\r\nbyte array instead of a file. The loading technique is called Reflective Code Loading.\r\nIn the first execution of the malware on the victim machine, the encrypted payload (backdoor) will load into the\r\nfirst stage of the malware (setup.exe) because, as we mentioned earlier, setup.exe opened a new thread in which it\r\nran the PowerShell script.\r\nAfter the reboot, the encrypted payload will load directly into the PowerShell process due to the lnk file from the\r\nstartup folder.\r\nEncrypted Payload\r\nWe’ve so far mentioned the encrypted payload many times. What exactly is it?\r\nWe can make a small change to the PowerShell script of the attacker to save the assembly to disk rather than\r\nloading it directly into memory. In addition, this can help us understand the functionality of this version of\r\nSolarMarker.\r\nWe got a .NET-compiled Dynamic-Link Library (.DLL) that contains the core code of the SolarMarker backdoor\r\nwith an embedded C2 client.\r\nWhen looking at the decompiled code and the names of the classes and functions, we can see that they don't look\r\nright. Instead, they look like they are obfuscated.\r\nFigure 7. Obfuscated names of the classes and functions/obfuscated code doesn't make much sense.\r\nAfter quickly running de4dot, we can see that it unpacked and deobfuscated:\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 5 of 12\n\nFigure 8. Deobfuscated strings in functions.\r\nSolarMarker Backdoor\r\nThe SolarMarker backdoor is a .NET C2 client that will communicate with the C2 server within the encrypted\r\nchannel.\r\nThe protocol communication is HTTP – usually POST requests.\r\nThe data is encrypted using RSA encryption with Advanced Encryption Standard (AES) symmetric encryption.\r\nFigure 9. Encrypted network communication with the C2 server.\r\nThe client performs internal reconnaissance, collects basic information about the victim machine and exfiltrates it\r\nover an existing C2 channel.\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 6 of 12\n\nFigure 10. Exfiltrated data before encryption.\r\nThe client sends a signal to the attacker’s server to check for instructions or additional payloads at regular\r\nintervals (60 seconds).\r\nThe attacker can run a PowerShell script and transfer files to the victim machine.\r\nThe next stage is again a PowerShell encoded script that deploys the SolarMarker final payload (.NET Infostealer)\r\nand loads it into memory (this typically occurs about a few hours after the initial infection of the victim machine).\r\nThe attackers' servers and version names vary between the backdoor and infostealer modules.\r\nSolarMarker Infostealer\r\nIn terms of its structure, the infostealer module looks very similar to the backdoor module we introduced earlier\r\nbut has extended capabilities.\r\nThe SolarMarker infostealer module acquires login data, cookies and web data (auto-fill) from web browsers by\r\nreading files specific to the target browser. SolarMarker uses the API function CryptUnprotectData (DPAPI) to\r\ndecrypt the credentials.\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 7 of 12\n\nFigure 11. Data collection for exfiltration example.\r\nFigure 12. Collected data is exfiltrated as XML format.\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 8 of 12\n\nFigure 13. Data leakage exfiltration through HTTP encrypted channel.\r\nKey Changes Observed in the New Version of SolarMarker\r\nLet's summarize the main changes seen in the new version of SolarMarker:\r\nSwitches back to executables as the dropper instead of MSI.\r\nIncreases the dropper files to larger volumes.\r\nThe dropper files are always signed by a legitimate company.\r\nModified the PowerShell loader script.\r\nIn the first execution of the malware on the victim machine, the backdoor will load into the dropper process\r\nand not into the PowerShell process as in previous versions.\r\nConclusion\r\nThis blog post documents recent changes in SolarMarker behavior patterns. These updates appear to upgrade\r\nevasion abilities in an attempt to stay under the radar and demonstrate that SolarMarker continues to evolve.\r\nIn recent years, the security industry has come to realize the importance of behavior-based detectors to reduce the\r\ndwell time of threats inside their network.\r\nPalo Alto WildFire Customers are protected from the SolarMarker malware.\r\nPalo Alto Customers using Cortex XDR Prevent or Pro are protected from such campaigns in different layers,\r\nincluding over 30 Behavioral Threat Protection, BIOC, and Analytics BIOCs rules that identify the tactics and\r\ntechniques that SolarMarker uses at different stages of its execution.\r\nMost rules are not customized for SolarMarker and are based on unusual, rare behaviors – and therefore provide\r\nprotection against many additional malware families and campaigns that use the same methods. On top of that, the\r\nLocal Analysis Engine and WildFire integration provide additional layers of protection to Cortex customers.\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 9 of 12\n\nIndicators of Compromise\r\nIP\r\n84.252.95[.]225\r\n89.44.9[.]108\r\n5.254.118[.]226\r\n37.120.247[.]199\r\n69.46.15[.]151\r\n37.120.237[.]251\r\n146.70.101[.]97\r\n146.70.24[.]173\r\n188.241.83[.]61\r\n185.244.213[.]64\r\n45.42.201[.]248\r\n216.230.232[.]134\r\n46.102.152[.]102\r\n146.70.53[.]153\r\n146.70.88[.]119\r\n37.221.113[.]115\r\n92.204.160[.]114\r\n92.204.160[.]101\r\nSHA256\r\naf1e952b5b02ca06497e2050bd1ce8d17b9793fdb791473bdae5d994056cb21f\r\nb4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0\r\n3b79aab07b9461a9d4f3c579555ee024888abcda4f5cc23eac5236a56bf740c7\r\nd40da05d477f2a6a0da575194dd9a693f85440e6b2d08d1687e1415ce0b00df7\r\nb90ac9da590ba7de19414b7ba6fbece13ba0c507f1d6be2be2b647091f5779f0\r\ne91e49fa225b2a9d7b6d5b33a64d4ebe96bbbcea3705438910a5196e0b9d030f\r\n1ad2af16a803f6f72f3f8bd305fe2e1b2049ecc8c401ed48e72446abb33022f8\r\n67735dd94093998ea9011435f6e56f90e3d66131b841706c4418c14907a497f9\r\n5239c3b84de73e2a5d9a2ea3f99889f5c81769df388dae21db37a37688f6617e\r\n5a2005552ba03f22f4d89d638b7e87b1dc1397c82f665fe3c63fd7d29bc6215b\r\n44af59a2d70ba23f2f80d80090d11184ef923a746c0c9ea3c81922bd8d899346\r\n2f7287a8b0c612801e77de6c2f37e22e0a67579f203a0aaf40095bf6ff70e6ee\r\n0c933001de544ebc071d175d9f8e3bfad8066b532dc69dea4c713c52eb6a64a0\r\n067ead7f7950dac95836899d08e93e6888fc87603b9ebf49d10ffeaed27ae466\r\na9df1cb6aa6061056b78ad88e7101b076cf20c1a82cc79b1215d1ea80c3fbd2c\r\n3407a30a697cc9ad2aa84fddc9f643a6b0f2012b286f99f5ac01064bbd56e09a\r\n7cc35fbce4b353c541f1ee62366248cc072d1c7ce38b1d5ef5db4a2414f26e08\r\n7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 10 of 12\n\nbbfae2ab644c8d0f1ba82b01032b1962c43855cc6716193ce872ac16cda166df\r\n3be8e9f9e76df60bc682887ea31813762e9d2c316260a702c3b3e54391a9111b\r\n11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a\r\nb0e926d0e8a2379173ce220071d409839d02a87f7b25f39e29d9e47afa4f7378\r\nFilename\r\nOptumrx-Quantity-Limit-Prior-Authorization-Form.exe\r\nFedex-Domestic-Air-Waybill.exe\r\nOsha-Required-Training-Checklist-For-General-Industry.exe\r\nThetford Porta Potti 345 Instructions.exe\r\nParkland-Heritage-Gazebo-Instructions.exe\r\nHoward-County-Refinance-Affidavit.exe\r\nChecklist-For-Bringing-New-Baby-Home.exe\r\nPool-Cover-Cable-Winch-Instructions.exe\r\nRadiation-Pregnancy-Consent-Form.exe\r\nRival-Frozen-Delights-Ice-Cream-Maker-Manual.exe\r\nFord-Direct-Window-Sticker-Lookup.exe\r\nSentence-Structure-Simple-Compound-Complex-Worksheets.exe\r\nAdrenal-Protocol-Ct-Washout.exe\r\nOsha-Propane-Tank-Storage-Requirements.exe\r\nIndiana-Alcohol-And-Tobacco-Liquor-License-Renewal.exe\r\nMonthly-Elevator-Inspection-Checklist.exe\r\nFamily-Nurse-Practitioner-Certification-Exam-Questions.exe\r\nIai-Latent-Print-Certification-Test-Preparation-Training.exe\r\nCornwall-Ontario-Pool-Bylaw.exe\r\nState-Of-Michigan-Workmans-Comp-Waiver.exe\r\nLilly-Cares-Patient-Assistance-Application-Form.exe\r\nMarket-Adjustment-Salary-Increase-Letter.exe\r\nAre-Doctors-Obligated-By-Law-To-Perform-A-Surgery.exe\r\nAffidavit-Of-Correction-South-Carolina.exe\r\nMedicare-Annual-Wellness-Visit-Questionnaire-In-Spanish.exe\r\nAcceptance-Letter-Phd-Neuroscience.exe\r\nCigna-Precertification-Request-Form.exe\r\nOregon-Inheritance-Tax-Waiver-Form.exe\r\nReligious-Exemption-Letter-Nj-Example.exe\r\nTraining-Needs-Analysis-Questionnaire-For-Employees.exe\r\nSample-Texas-Will-And-Testament.exe\r\nMatter-As-Particles-Worksheet.exe\r\nSdlc-Life-Cycle-With-Examples.exe\r\nRandall-High-School-Volleyball-Schedule.exe\r\nUses-Of-Rocks-Worksheet.exe\r\nSample-Demand-Letter-For-Services-Not-Rendered.exe\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 11 of 12\n\nFe-Exam-Review-Lecture-Notes.exe\r\nQuit-Claim-Deed-Form-Volusia-County-Florida.exe\r\nImsa-Ite-Traffic-Signal-Maintenance-Handbook.exe\r\nCapital-One-Mortgage-Pre-Approval.exe\r\nField-Trip-Reflection-Worksheet-Pdf.exe\r\nLivingston-Mt-City-Court-Warrants-List.exe\r\nOne-Page-Lease-Agreement-Texas.exe\r\nThetford Porta Potti 345 Instructions.exe\r\nHoward-County-Refinance-Affidavit.exe\r\nChecklist-For-Bringing-New-Baby-Home.exe\r\nExample Of Discharge Summary For Substance Abuse\r\nCertificates\r\nName: Zimmi Consulting Inc\r\nSerial Number: 06 FA 27 A1 21 CC 82 23 0C 30 13 EE 63 4B 6C 62\r\nStatus: Trust for this certificate or one of the certificates in the certificate chain has been revoked.\r\nValid From: 12:00 AM 02/18/2022\r\nValid To: 11:59 PM 02/13/2023\r\nThumbprint: BA256F3716A5613B2DDA5F2DBD36ABC9AC321583Name: Divertida Creative Limited\r\nSerial Number: 08 83 DB 13 70 21 B5 1F 3A 2A 08 A7 6A 4B C0 66\r\nStatus: Trust for this certificate or one of the certificates in the certificate chain has been revoked.\r\nIssuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1\r\nValid From: 12:00 AM 07/28/2021\r\nValid To: 11:59 PM 07/27/2022\r\nThumbprint: C049731B453AB96F0D81D02392C9FC57257E647D\r\nAdditional Resources\r\nThe Introduction of the Jupyter Infostealer/Backdoor - Morphisec\r\nSolarMarker campaign used novel registry for persistence – SOPHOS\r\nBlocking SolarMarker Backdoor – CrowdStrike\r\nThreat Spotlight: Solarmarker – Cisco Talos\r\nNew-jupyter-evasive-delivery-through-msi-installer – Morphisec\r\nSolarmarker In-Depth Analysis – Prodaft\r\nMalware Analysis (PowerShell to .NET) – John Hammond\r\nYellow Cockatoo – Red Canary\r\nMars-Deimos: SolarMarker/Jupyter Infostealer (Part 1) – Squiblydoo\r\nMars-Deimos: From Jupiter to Mars and Back again (Part Two) – Squiblydoo\r\nSource: https://unit42.paloaltonetworks.com/solarmarker-malware/\r\nhttps://unit42.paloaltonetworks.com/solarmarker-malware/\r\nPage 12 of 12\n\n https://unit42.paloaltonetworks.com/solarmarker-malware/  \nFigure 11. Data collection for exfiltration example. \nFigure 12. Collected data is exfiltrated as XML format.\n   Page 8 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/solarmarker-malware/"
	],
	"report_names": [
		"solarmarker-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434761,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aea519c7e52e399990c8f1c775c5d47e11c4f93f.pdf",
		"text": "https://archive.orkl.eu/aea519c7e52e399990c8f1c775c5d47e11c4f93f.txt",
		"img": "https://archive.orkl.eu/aea519c7e52e399990c8f1c775c5d47e11c4f93f.jpg"
	}
}