{ "id": "fad10f75-ef09-41c5-8171-d37ba46ba5bb", "created_at": "2026-04-06T00:09:10.592019Z", "updated_at": "2026-04-10T03:36:48.480776Z", "deleted_at": null, "sha1_hash": "db4ddccc342ed7191e668c372c52eb5236fb7850", "title": "The Introduction of the Jupyter InfoStealer/Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1287435, "plain_text": "The Introduction of the Jupyter InfoStealer/Backdoor\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 18:57:30 UTC\r\nAn Infostealer is a trojan that is designed to gather and exfiltrate private and sensitive information from a target\r\nsystem. There is a large variety of info stealers active in the wild, some are independent and some act as a modular\r\npart of a larger task such as a Banking Trojan (Trickbot) or a RAT.\r\nInfostealers are usually lightweight and stealthy payloads that do not have persistence or propagation (get-in and\r\nget-out) capabilities. This type of trojan is particularly difficult to detect as it leaves an extremely small footprint.\r\nDuring what began as a routine incident response process, Morphisec has identified (and prevented) a new .NET\r\ninfostealer variant called Jupyter. Morphisec discovered this variant as part of assisting a higher education\r\ncustomer in the U.S. with their incident response.\r\nJupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack\r\nchain, delivery, and loader demonstrate additional capabilities for full backdoor functionality. These include:\r\na C2 client\r\ndownload and execute malware\r\nexecution of PowerShell scripts and commands\r\nhollowing shellcode into legitimate windows configuration applications.\r\nJupyter’s attack chain typically starts with a downloaded zip file that contains an installer, an executable that\r\nusually impersonates legitimate software such as Docx2Rtf. Some of these installers have maintained 0 detections\r\nin VirusTotal over the last 6 months, making it exceptional at bypassing most endpoint security scanning controls.\r\nUpon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a\r\nwell defined communication protocol, versioning matrix, and has recently included persistence modules.\r\nThe client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter .NET\r\nmodule. Both of the .Net components have similar code structures, obfuscation, and unique UID implementation.\r\nThese commonalities indicate the development of an end to end framework for implementing the Info stealer.\r\nMorphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May\r\n2020. While many of the C2s are no longer active, they consistently mapped to Russia when we were able to\r\nidentify them.\r\nThis is not the only piece of evidence that this attack is likely Russian in origin. First, there is the noticeable\r\nRussian to English misspelling of the planet name. Additionally, Morphisec researchers ran a reverse Google\r\nImage search of the C2 admin panel image and were not surprised to find the exact image on Russian-language\r\nforums.\r\nhttps://blog.morphisec.com/jupyter-infostealer-backdoor-introduction\r\nPage 1 of 3\n\nDownload the complete report for details on the changes and evolution of the Jupyter infostealer as well as its\r\nbackdoor component.\r\nNote: Morphisec CTO Michael Gorelik contributed to this analysis.\r\nAbout the author\r\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nhttps://blog.morphisec.com/jupyter-infostealer-backdoor-introduction\r\nPage 2 of 3\n\nSource: https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction\r\nhttps://blog.morphisec.com/jupyter-infostealer-backdoor-introduction\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction" ], "report_names": [ "jupyter-infostealer-backdoor-introduction" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434150, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db4ddccc342ed7191e668c372c52eb5236fb7850.pdf", "text": "https://archive.orkl.eu/db4ddccc342ed7191e668c372c52eb5236fb7850.txt", "img": "https://archive.orkl.eu/db4ddccc342ed7191e668c372c52eb5236fb7850.jpg" } }