{ "id": "08cdb691-0c10-4f5f-8464-477749fd377b", "created_at": "2026-04-06T00:08:56.918569Z", "updated_at": "2026-04-10T13:11:24.343212Z", "deleted_at": null, "sha1_hash": "ba37eed3b1a8cf9072ed976477079344b0b69d83", "title": "SolarMarker: Actions-On-Target", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 302917, "plain_text": "SolarMarker: Actions-On-Target\r\nPublished: 2025-12-15 · Archived: 2026-04-05 18:19:48 UTC\r\nNOTE: This article was originally written in March 2024, for undisclosed reasons, I didn’t publish it at that time.\r\nSolarMarker’s infrastructure went defunct in 2024. This malware doesn’t appear to be an active threat, but this\r\narticle is to discuss means of investigation for similar threats, or if SolarMarker returns. The post has been updated\r\nto reflect the current state of the malware.\r\nAbstract\r\nSolarMarker malware was a common threat but nothing had been published or widely shared about the actor’s\r\nactions or objectives—until now. Based on original findings from monitoring an infected computer for months,\r\nthis blog-post discloses—for the first time—the financial fraud carried out by the SolarMarker actor group.\r\nIn this blog-post, we will introduce SolarMarker—highlighting the Virtual Network Computing (VNC)\r\ncomponent which allows threat actors to connect to a victim device and load the victim’s browser data as their\r\nown. With the browser data loaded, threat actors can access accounts to perform financial fraud and data theft.\r\nThis type of fraud is known as on-device-fraud.\r\nWho or what is SolarMarker?\r\nIn this post, we refer to both the malware and the actors as “SolarMarker”. We apologize for any confusion, but\r\nwe trust that context will clear up any confusion. The actors consist of the following: a developer who maintains\r\nthe software and affiliates who leverage remote access to victim hosts to commit fraud.\r\nSolarMarker as a malware was first seen in July 2020. The malware has always consisted of multiple modules.\r\nThe modules are primarily named after planets using the Russian spelling:\r\nJupiter (Russian: Jupyter) – an infostealer module\r\nMars – a backdoor module\r\nUranus (Russian: Uran) – a keylogging module\r\nSaturn – a VNC module\r\nFG – a form-grabbing and crypto-wallet stealing module\r\nSOCKS – this is a SOCKS proxy module\r\nThese modules have always existed, but have not always been in use.\r\nWe take this opportunity to clarify the following: SolarMarker’s primary purpose has been on-device-fraud.\r\nSolarMarker was mistakenly classified as an infostealer due to its infostealing module, however, the infostealing\r\nmodule always existed alongside the other capabilities. The essential function of the infostealing module has been\r\nto profile the device—giving attackers an understanding what accounts they would have access to when using the\r\nhttps://squiblydoo.blog/2025/12/15/solarmarker-actions-on-target/\r\nPage 1 of 6\n\nVNC client. Similarly, the VNC client has always been a core-component of the malware. The developer\r\noriginally used a fork of hidden VNC (hVNC) and then he wrote his own VNC client.\r\nTo emphasize again, the maintainers of SolarMarker didn’t sell credentials like actors who focused on credential\r\nstealing would. Further, with stolen credentials, an actor needs to attempt to access accounts from another device,\r\nbut with SolarMarker, the affiliates are able to leverage the credentials using the victim’s device.\r\nGaining Insight\r\nTo discover this behavior, we set up a domain and self-infected a host, we then monitored the infected host for\r\nmonths. We infected a host in both 2022 and in 2023.\r\nIn 2022, the threat actor deployed multiple payloads onto our infected host without any obfuscation: this helped\r\nprovide a basic understanding of common payloads. We were able to see plainly how the VNC module was\r\nloaded: The VNC process has regularly been injected into a Windows process. The VNC client would run from\r\nwithin that process. At that time, we learned that the VNC client was capable of loading the victim’s browser,\r\nhowever, we were unable to determine how that access was leveraged.\r\nIn 2023, we put live credentials in the browser and monitored activity. We then observed the attacker perform the\r\nfollowing actions.\r\nActions Performed\r\nAttacker attempted to log into banking accounts. (No valid account was provided.)\r\nAttacker attempted to log into Amazon accounts. With a valid account, they reviewed the credit cards, gift\r\ncards, and addresses associated with the account.\r\nAttacker accessed victim’s Gmail account. Attacker reviewed settings and addresses associated with the\r\naccount. Attacker reviewed emails in multiple inboxes. Attacker stole financial information from the sent\r\nbox.\r\nAttacker attempted to purchase items such as a Google Pixel phone. (There were insufficient funds at\r\nthe time of the attempt.)\r\nAttacker accessed victim’s Coinbase account. Attacker reviewed settings for the account and made\r\npurchases.\r\nAttacker set inbox rules in Gmail to hide emails associated with purchases.\r\nAttacker deleted emails associated with purchases manually.\r\nAttacker returned and deleted inbox rules to cover tracks.\r\nAll of these actions were performed from the victim device and were made possible due to credentials stored by\r\nthe browser and by accounts that were logged in at the time of access. We were able to monitor all of these\r\nactivities due to them being performed from the device. Using the victim’s device makes the reporting of fraud\r\ndifficult, as a result, it is important for victims to know how to detect this malware. We recommend reviewing our\r\nprevious blog-posts (such as this one) or even contacting us to confirm indicators of an infected host to support\r\nfraud reports.\r\nhttps://squiblydoo.blog/2025/12/15/solarmarker-actions-on-target/\r\nPage 2 of 6\n\nNote: The VNC client is also capable of loading content from Outlook clients, but we did not monitor for this\r\nactivity in our configuration.\r\nViewing the actions\r\nThe following will explain how this visibility was possible.\r\nNote: Some information in the following images are redacted only because the SolarMarker developer reads these\r\nblogs. If you need or want more information, contact me.\r\nWhen a host is infected, the backdoor will launch on startup. After about 30 minutes, devices in the designated\r\nVNC group will receive the VNC client as a payload from the backdoor. The VNC client is injected into the\r\nmemory space of a legitimate Windows process. In 2022, the process was “GamePanel.exe”. From 2023 through\r\n2024, the process was “SearchIndexer.exe”; however, the process used is likely to change after this publication\r\nbased on the developer’s attempt to avoid detection. Regardless of the process used, the behavior will be similar.\r\nThe image below is a screenshot of Process Hacker displaying the behavior. In the process tree, the running\r\nPowerShell was the persistent backdoor which loads the VNC client into SearchIndexer.exe. With the VNC\r\nrunning from SearchIndexer, it loads a copy of the victim’s browser data as seen in the command-line arguments\r\nby using the option --user-data-dir= .\r\nImage: Process Hacker showing the malicious process genealogy: SearchIndexer with no parent\r\nspawning Chrome.\r\nhttps://squiblydoo.blog/2025/12/15/solarmarker-actions-on-target/\r\nPage 3 of 6\n\nThe browser data in the image is loaded from a directory in the “Temp” directory and contains the same contents\r\nas the Chrome “User Data” directory. This behavior is consistent with the findings from eSentire‘s static analysis\r\nof the VNC client, except that the developer changed the name of the directory after eSentire’s publication.\r\nOnce loaded from this directory, all Chromium artifacts are saved in this directory. The actor can interact with the\r\nbrowser from the user’s normal directory (and may need to in some cases, such as when files are locked and\r\ncannot be copied) but the majority of their actions occur from the copy in the temporary directory. In either\r\ninstance, the attacker attempts to cover their tracks by clearing the Chrome History manually by navigating to the\r\nChrome History tab and removing items.\r\nEven when the attacker cleared Chrome History we were able to observe their actions using a more fragile\r\nforensic artifact: Chromium Session files.\r\nChromium what?\r\nChromium is the open-source basis of many modern browsers: Google Chrome, Microsoft Edge, Brave, and many\r\nothers. Chromium stores user activity into a file called a “Session file”. A Session file starts when a user opens a\r\nnew window and it documents all activity performed by the user in that window: the opening/closing of tabs, the\r\nforward/backward navigation, and more. The purpose of Session files are to provide a good user experience: they\r\nallow a user to re-open a window and it allows that window to have the same behavior as if the user never closed\r\nit.\r\nSo while the attacker cleared their history, the activity of their Sessions were still accessible.\r\nChromium Sessions are a under-appreciated forensic artifact. Fortunately, I maintain a tool for parsing Chromium\r\nSession files: Chromagnon. (Credit for the original project goes to JRBancel, I forked the project and added\r\nsubstantial updates due to changes to Chromium in the last 15 years. JRBancel had established a solid foundation.)\r\nThe following is an example of the output from the investigation:\r\nUpdateTabNavigation - Tab: 826756992, Index: 2, Url:\r\nhttps://mail.google.com/mail/u/0/#trash\r\nUpdateTabNavigation - Tab: 826756992, Index: 3, Url:\r\nhttps://mail.google.com/mail/u/0/#trash/FMfcgzGxSHfcQkLVxKXpDSdbJdsxMDNr\r\nUpdateTabNavigation - Tab: 826756992, Index: 4, Url: https://mail.google.com/mail/u/0/#trash\r\nUpdateTabNavigation - Tab: 826756992, Index: 5, Url:\r\nhttps://mail.google.com/mail/u/0/#settings/general\r\nUpdateTabNavigation - Tab: 826756992, Index: 6, Url:\r\nhttps://mail.google.com/mail/u/0/#settings/filters\r\nIn this snippet the actor did the following: They navigated to the trash. They opened a specific email. They\r\nreturned to the trash. They navigated to the “general” tab of the settings. They navigated to the “filters” tab.\r\nFrom these actions, we infer the following: they deleted an email, they then went to the trash, opened the same\r\nemail and deleted it permanently. After deleting it, they set up a filtering rule to filter future emails. Since the\r\nSession file provides us the URLs associated with activity, we can confirm these details by navigating to the same\r\nhttps://squiblydoo.blog/2025/12/15/solarmarker-actions-on-target/\r\nPage 4 of 6\n\npages. Indeed: we were able to confirm that the email with that id no longer exists and that a filtering rule was\r\nconfigured.\r\nImage: Gmail setting with a filtering rule configured by the attacker. Rule highlighted by a green\r\nrectangle.\r\nWe were also able to confirm that funds were spent from the Coinbase account.\r\nWhile Session files gave us a great deal of visibility, they are fragile. Usually only a few are stored at any time. In\r\nthis instance, we missed what exactly was purchased. We used Hindsight to parse the entire user profile used by\r\nthe attacker. From the output of Hindsight, we were able to see additional context regarding their purchase.\r\nImage: The spreadsheet output of Hindsight showing the purchase using the Coinbase account.\r\nIn addition to the fragility from only a few Session files being stored, the attacker copies the victim’s profile into\r\nthe temporary regularly which overwrites existing files. As a result, we had to diligently copy the User Profile\r\nfrom the Temporary directory to preserve all the artifacts. We don’t believe that it is practical to rely solely on this\r\nartifact in a production environment. However, it does help reveal the most recent activity and in this situation,\r\nhelped us establish clear insight into the activity performed by the actor.\r\nDetection Recommendations\r\nIf you are interested in detection opportunities, please write to us and they will be shared privately. If we were to\r\npublish them, the threat actor would change details as to undermine the detections. Even though the malware is\r\ncurrently inactive, I’m taking this precaution.\r\nConclusion\r\nIn this blog-post, we disclosed what we believe are the most important elements for victims: namely, that the\r\nSolarMarker backdoor is leveraged to perform on-device-fraud and steal arbitrary information from email.\r\nhttps://squiblydoo.blog/2025/12/15/solarmarker-actions-on-target/\r\nPage 5 of 6\n\nWe recommend being familiar with SolarMarker’s indicators both for defense and for incident response for when\r\ninfections and fraud occur. This tactic of on-device fraud was seen in 2012, so it isn’t particularly new, but it is\r\nimportant to recognize it still occurs.\r\nWith actions-on-objectives having been disclosed, we believe others are now better able to accurately assess the\r\nrisk of SolarMarker malware in their environments.\r\nSource: https://squiblydoo.blog/2025/12/15/solarmarker-actions-on-target/\r\nhttps://squiblydoo.blog/2025/12/15/solarmarker-actions-on-target/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://squiblydoo.blog/2025/12/15/solarmarker-actions-on-target/" ], "report_names": [ "solarmarker-actions-on-target" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434136, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba37eed3b1a8cf9072ed976477079344b0b69d83.pdf", "text": "https://archive.orkl.eu/ba37eed3b1a8cf9072ed976477079344b0b69d83.txt", "img": "https://archive.orkl.eu/ba37eed3b1a8cf9072ed976477079344b0b69d83.jpg" } }