{
	"id": "2821e99e-c52d-43e8-b4b6-0977abf5f803",
	"created_at": "2026-04-06T01:29:24.531673Z",
	"updated_at": "2026-04-10T13:12:08.834102Z",
	"deleted_at": null,
	"sha1_hash": "ce249b83c0e92afc5a2b80622560e6abb3f17165",
	"title": "Jupyter Rising: An Update on Jupyter Infostealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 963726,
	"plain_text": "Jupyter Rising: An Update on Jupyter Infostealer\r\nBy Swee Lai Lee, Bria Beathley, Abe Schneider, Alan Ngo, Sean McKnight\r\nPublished: 2023-11-06 · Archived: 2026-04-06 00:21:05 UTC\r\nContributor: Nikki Benoit\r\nExecutive Summary\r\nNew Jupyter Infostealer variants continue to evolve with simple yet impactful changes to the techniques used by the\r\nmalware author. This improvement aims to avoid detection and establishes persistence, enabling the attacker to stealthily\r\ncompromise victims. The Carbon Black MDR Team has contained countless Jupyter Infostealer infections over the years.\r\nThis malware continues to be one of the top ten infections we’ve detected in our clients’ network primarily targeting the\r\nEducation and Health sectors.\r\nThe team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and\r\nsignatures of private keys in attempts to pass off the malware as a legitimately signed file. Over the last two weeks, the\r\nnumber of Jupyter Infostealer infections that we have observed has steadily risen, now totaling 26 infections. Malware\r\nresearchers such as SquiblydooBlog have also noted the recent changes.\r\nHistory\r\nJupyter Infostealer (aka Yellow Cockatoo, Solarmarker, Polazert) is a malware variant that was first detected in late 2020. It\r\nhas continued to evolve, changing its delivery method to evade detection. Targeting Chrome, Edge, and Firefox browsers,\r\nJupyter infections use SEO poisoning and search engine redirects to encourage malicious file downloads that are the initial\r\nattack vector in the attack chain. The malware has demonstrated credential harvesting and encrypted command-and-control\r\n(C2) communication capabilities used to exfiltrate sensitive data.\r\nCertificate Manipulation\r\nThese files are signed with a valid certificate to further evade detection. The recent Jupyter infections utilize multiple\r\ncertificates to sign their malware which, in turn, can allow trust to be granted to the malicious file, providing initial access\r\nto the victim’s machine.\r\nRecent Signers:\r\nТОВ “Чеб”\r\nТОВ “Софт Енжін юа”\r\nТОВ “Трафік Девелоп ЮА”\r\nFigure 1: Certificate Information\r\nCrafty threat actors are particularly interested in obtaining such certificates; even security analysts may inadvertently place\r\ntrust in such software due to the semblance of authenticity provided by these certificates.\r\nCommon Delivery Methods\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 1 of 10\n\nJupyter Infostealer, like many other malware, can be delivered through various methods. Common delivery methods\r\ninclude: malicious websites, drive-by downloads, and phishing emails. Users may unknowingly download Jupyter\r\nInfostealer when visiting compromised websites or by clicking on malicious ads. The most common applications we see\r\nused to download this malware are: Firefox, Chrome, and Edge web browsers.\r\nFigure 2: No-Hoa-Letter-Mortgage.exe invokes No-Hoa-Letter-Mortgage.tmp file\r\nWhen a user gets tricked into downloading this Infostealer, the executable can then get invoked by their browser.\r\nWe also observed the initial files with different naming conventions:\r\nAn-employers-guide-to-group-health-continuation.exe\r\nHow-To-Make-Edits-On-A-Word-Document-Permanent.exe\r\n052214-WeatherPro-Power-Patio-Sport-Replacement-Fabric.exe\r\nIv-Calculations-Practice-Questions-Pdf.exe\r\nSister-Act-Libretto-Pdf.exe\r\nCoaches-Gift-Donations.exe\r\nElectron-Configuration-Practice.exe\r\nEnvironmental-Accounting-Education-Requirements.exe\r\nAmerican-Born-Chinese.exe\r\nFake Installer\r\nThe above executables are examples of installation files created by InnoSetup – an open source compiler used to create\r\ninstallation packages in Windows OS. These new infections typically include this installer-bundle.exe file which retains the\r\nsame hash although their file names may vary.\r\nAutodesk\r\nDuring our recent investigation, we identified an incident where a signed Autodesk Create Installer was deployed by the\r\ninstaller-bundle.exe. Autodesk, a software frequently exploited in past cyber attacks, was utilized as a Remote Desktop\r\napplication on the victims’ devices.\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 2 of 10\n\nFigure 3: Installer-bundle.exe dropping AutoDeck Create Installer\r\nMoments after, No-Hoa-Letter-Mortgage.tmp executes powershell.exe which then makes a connection to\r\n185[.]243.112.60, a C2 server located in the Netherlands.\r\nFigure 4: Encoded Powershell command\r\nMultiple files are then created and opened with write privileges, including the .dat file shown in the PowerShell command\r\nabove. These files are typically stored in the %Temp% directory.\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 3 of 10\n\nFigure 5: Events seen in Process Analysis page in Enterprise Endpoint Detection and Response\r\nThe PDF file that the malware drops into the %Temp% folder, as seen in the image above, is used as a decoy for the victim.\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 4 of 10\n\nFigure 6: A screenshot of budget_fy2024.pdf seen by the victim\r\nThese same files then get deleted a few minutes after initial infection.\r\nFigure 7: Files seen being deleted\r\nAfter a foothold is established on the user’s device, PowerShell is used to immediately establish multiple network\r\nconnections to their C2 server after executing the following command:\r\nFigure 8: PowerShell commands seen attempting to reach out to C2 server\r\nThe above PowerShell command was executed to decrypt the .DAT file (0AF84CcF99e5dcA1399141fB72F2B3f2.daT)\r\nwith a custom XOR key. The below image shows the snippet of the decoded PowerShell script:\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 5 of 10\n\nFigure 9: Decoded PowerShell script\r\nThe above PowerShell script was used to decode the Infostealer payload and load the DLL payload in-memory using the\r\nReflection.Assembly::load method.\r\nFigure 10: Jupyter Infostealer process chart\r\nCarbon Black Detection and Prevention\r\nThe Carbon Black MDR Team routinely scans for new adversary techniques used to bypass detection.  Once a threat is\r\nidentified, our team acts quickly to contain the attack and prevent exfiltration of valuable data.\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 6 of 10\n\nFigure 11: Analysts implement a blocking policy to prevent Jupyter from executing PowerShell, a policy deny action was\r\napplied\r\nWith MDR analysts watching over our clients 24-hours a day, the team is able to implement prevention rules to identify\r\nand contain various versions of Jupyter Infostealer around the clock.\r\nFigure 12: The Events page showing that the Policy Deny action was applied and the operations were blocked by Carbon\r\nBlack\r\nSummary\r\nJupyter Infostealer exhibits a remarkable ability to evolve and adapt.  These modifications seem to enhance its evasion\r\ncapabilities, allowing it to remain inconspicuous. As cyber defenses strengthen, malicious software finds new avenues to\r\nbreach and infect systems leaving us vulnerable to newer renditions of commonly seen older attacks.\r\nManaged Threat Hunting\r\nAs we continue to see malware evolve, some get phased out and others adapt.  This blog post is meant to observe and\r\ndocument the behavioral patterns and changes of Jupyter Infostealer.  With this we have seen the improvements of the\r\nevasive abilities Jupyter uses in attempts to stay under the radar and continue to silently infect victims.\r\nCarbon Black adopts a different approach, focusing on both pre and post-exploit defense. This strategy proves more\r\neffective against Jupyter Infostealer, ensuring detection, prevention, and containment.\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 7 of 10\n\nCarbon Black is particularly effective against Jupyter Infostealer due to its innovative approach to endpoint security. Unlike\r\ntraditional antivirus (AV) solutions that rely solely on static signatures or hashes to detect malware, Carbon Black utilizes\r\nadvanced techniques and behavioral analysis for threat detection. Here’s why Carbon Black is a superior endpoint\r\nprotection to use against Jupyter Infostealer:\r\nDynamic Detection Methods: Carbon Black employs dynamic detection methods, such as behavioral analysis and\r\nmachine learning algorithms, to identify malicious behavior patterns. This proactive approach allows it to detect\r\nnew and evolving threats such as Jupyter Infostealer even when their specific signatures or hashes are unknown.\r\nFocus on Pre and Post-Exploit Defense: Carbon Black focuses on both pre-exploit and post-exploit defense.\r\nWhile traditional AVs primarily concentrate on pre-exploit measures, Carbon Black also monitors activities after a\r\npotential breach.  This comprehensive approach enables it to identify and mitigate Jupyter Infostealer  malicious\r\nactivities throughout the attack lifecycle.\r\nAdaptability to Unique Attacks: Jupyter Infostealer, being a malware-as-a-service, allows attackers to customize\r\ntheir attacks resulting in unique configurations for each instance. Carbon Black’s adaptive and behavioral analysis\r\ncan recognize these custom configurations and detect Jupyter Infostealer variants regardless of the specific\r\nparameters set by the attacker.\r\nContainment Capabilities: Carbon Black not only detects malware but also offers effective containment measures.\r\nWhen Jupyter Infostealer is detected, Carbon Black can isolate the infected system, preventing the malware from\r\nspreading further within the network. This containment feature helps prevent widespread damage and data breaches.\r\nContinuous Updates and Threat Intelligence: Carbon Black continuously updates its threat intelligence database,\r\nincorporating information about emerging threats and attack techniques including those used by Jupyter Infostealer.\r\nThis up-to-date knowledge enhances its ability to recognize and thwart the latest variants of the malware.\r\nAdaptive Response: Carbon Black’s Managed Detection and Response products provide an adaptive response\r\nmechanism. In the event of a Jupyter Infostealer attack, it can respond dynamically, adapting its defense strategies\r\nbased on the evolving threat landscape. This adaptability is crucial in dealing with constantly changing malware\r\ntactics.\r\nManaged Threat Hunting: Carbon Black’s newly released Managed Threat Hunting product provides proactive\r\nthreat hunting on emerging threats. The Managed Threat Hunting product’s unique approach to detection and\r\nresponse allows it to quickly detect and respond to threats, including Jupyter Infostealer .\r\nCarbon Black’s advanced, dynamic, and comprehensive approach to threat detection and response makes it highly effective\r\nagainst Jupyter Infostealer and other sophisticated malware threats. Carbon Black’s ability to adapt, analyze behavior, and\r\ncontain attacks sets it apart as a robust solution in the fight against evolving cyber threats.\r\nSearch Queries\r\nprocess_cmdline:*utf8.GeTsTriNG* AND process_cmdline:*ReadAllBytes*\r\nprocess_name:powershell.exe AND process_cmdline:\\-bxor AND process_cmdline:utf8.getstring AND\r\nprocess_cmdline:readallbytes\r\nhash:820eda2078723e7f1c09d0e6d3641ea822c2b36c981cb5bfa4e445733664c087 OR\r\n95a96d21f89b5e73ad41c5af5381f54a2697abd0c8490b4fd180ad88e9677452 OR\r\n32e0c3db78cdeaa026b8b9ed9c3e4f599eb5d9cb4184aaacae8ec94a0c1be438 OR\r\nad7098b4882cdd187a2c2bdf87f6e4cb6c76017975a135cf9c9dcd49ce1f30d7 OR\r\nc083bf80cfc91f4e3c696bab27760163b9b7621ff4e1230b8129d44b52ccf79a OR\r\n39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2 OR\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 8 of 10\n\nfee1e684cc9588c9aea22c48e9745d0f3150479b2c094c0de598247487fc3f89 OR\r\n7d57b32e3753a28d2e106392fef0c02ec549062f607563732a64abb4ad949fde\r\nnetconn_ipv4:146.70.101.83 OR 239.255.255.250 OR 224.0.0.251 OR 91.206.178.10 OR 78.135.73.176 OR\r\n185.243.112.60 OR 146.70.71.13 OR 146.70.121.88\r\nIndicators of Compromise (IOC)\r\nName SHA256 Hash\r\nno-hoa-letter-mortgage.exe 820eda2078723e7f1c09d0e6d3641ea822c2b36c981cb5bfa4e445733664c087\r\nno-hoa-letter-mortgage.tmp 95a96d21f89b5e73ad41c5af5381f54a2697abd0c8490b4fd180ad88e9677452\r\nan-employers-guide-to-group-health-continuation.exe\r\n32e0c3db78cdeaa026b8b9ed9c3e4f599eb5d9cb4184aaacae8ec94a0c1be438\r\nan-employers-guide-to-group-health-continuation.tmp\r\nad7098b4882cdd187a2c2bdf87f6e4cb6c76017975a135cf9c9dcd49ce1f30d7\r\n316798e6deddba410e710d355c6f6f2a.pdf c083bf80cfc91f4e3c696bab27760163b9b7621ff4e1230b8129d44b52ccf79a\r\nScum-and-villainy-rpg-pdf.exe 39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2\r\nJob-satisfaction-in-relation-to-communication-in-health-care.tmp\r\nfee1e684cc9588c9aea22c48e9745d0f3150479b2c094c0de598247487fc3f89\r\njob-satisfaction-in-relation-to-communication-in-health-care.exe\r\n7d57b32e3753a28d2e106392fef0c02ec549062f607563732a64abb4ad949fde\r\nIPs/Domains\r\n146[.]70.101.83 239[.]255.255.250\r\n224[.]0.0.251 91[.]206.178.10\r\n78[.]135.73.176 185[.]243.112.60\r\n146[.]70.71.13 146[.]70.121.88\r\nMITRE ATT\u0026CK TIDs\r\nTID Tactics Technique\r\nT1204.002 Execution User Execution: Malicious File\r\nT1059.001 Execution Command and Scripting Interpreter: PowerShell\r\nT1055 Privilege Escalation Process Injection\r\nT1547.001\r\nPersistence,Privilege\r\nEscalation\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 9 of 10\n\nT1564.003 Defense Evasion Hide Artifacts: Hidden Window\r\nT1620 Defense Evasion Reflective Code Loading\r\nT1027.011 Defense Evasion Obfuscated Files or Information: Fileless Storage\r\nT1036 Defense Evasion Masquerading\r\nT1070.004 Defense Evasion Indicator Removal on Host: File Deletion\r\nT1112 Defense Evasion Modify Registry\r\nT1082 Discovery System Information Discovery\r\nT1083 Discovery File and Directory Discovery\r\nT1552.001 Credential Access Unsecured Credentials: Credentials In Files\r\nT1005 Collection Data from Local System\r\nT1105 Command and Control Ingress Tool Transfer\r\nT1070.001 Command and Control Application Layer Protocol: Web Protocols\r\nT1041 Exfiltration Exfiltration Over C2 Channel\r\nSource: https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html"
	],
	"report_names": [
		"jupyter-rising-an-update-on-jupyter-infostealer.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438964,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ce249b83c0e92afc5a2b80622560e6abb3f17165.pdf",
		"text": "https://archive.orkl.eu/ce249b83c0e92afc5a2b80622560e6abb3f17165.txt",
		"img": "https://archive.orkl.eu/ce249b83c0e92afc5a2b80622560e6abb3f17165.jpg"
	}
}