{ "id": "9f60809a-02ac-473f-b92a-b9928c728bd5", "created_at": "2026-04-06T01:31:33.149967Z", "updated_at": "2026-04-10T03:21:54.888718Z", "deleted_at": null, "sha1_hash": "e58270267e648600f59d39cf5c19a92ba150d74e", "title": "Tracking Jupyter Malware AKA Solarmarker", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1424259, "plain_text": "Tracking Jupyter Malware AKA Solarmarker\r\nBy Luke Acha\r\nPublished: 2020-12-12 ยท Archived: 2026-04-06 00:46:47 UTC\r\n*Updated March 10, 2022 (Detection rules for new variant observed March 2022.)\r\nI have had the opportunity to track the .NET Backdoor, dubbed by Morphisec as Jupyter Infostealer A.K.A\r\nSolarmarker\r\nI was excited to see this writeup since this was a malware family that myself and other researchers on twitter were\r\ndiscussing for a couple weeks prior to the Morphisec article, before there was an attributed name to the malware.\r\nThis was in October, and we were all sharing some bits of information we had on this, since that time I have also\r\nbeen using custom YARA signatures to perform live hunts and retro-hunts in VirusTotal to continue to keep up on\r\nthis malware.\r\nRecently I had seen Red Canary wrote up about this, dubbing it Yellow Cockatoo. Again, I was very excited to see\r\nsome more attention being paid to this malware, I enjoyed both the writeups. Red Canary and Morphisec provided\r\nexcellent information!\r\nSince I've been tracking this for sometime, and commenting on all new samples I see uploaded to VirusTotal, I\r\nfigured I would provide some perspective that I have on this malware as well.\r\nFirst, the initial access. Red Canary does correctly point out that there is redirecting of search engine queries, to\r\ndig a bit deeper, it appears that this is being done by abusing legit sites such as sites.google.com and\r\ncdn.shopify.com.\r\nThe following image is a recent (as of this writing) sample uploaded to VirusTotal. Take note of 3 things. The first\r\nbeing the file name, the second being the file size, and finally the 3rd item being the Icon which appears to mimic\r\na Word Document.\r\nIn the next screenshot we can see potentially where a users search criteria may lead to this malware.\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 1 of 12\n\nNote: I have seen this also on various sites.google.com pages as well with earlier samples. So, what happens when\r\nwe go to this link which may potentially lead to the malware?\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 2 of 12\n\nNow this is interesting right! OK, so when I click on the PDF download, I watched the Address Bar redirect\r\nseveral times until I was able to get the final malware. Look at the following screenshots!\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 3 of 12\n\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 4 of 12\n\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 5 of 12\n\nWhat is really interesting is how quickly this 100MB+ file actually downloads! Why is this you ask? It's because\r\nthe file appears to be heavily padded (older samples were padded with NULL Bytes, this latest one is padded with\r\nrepeating garbage bytes 99 21 C1 FA A3 71 38 9B). Even more interesting is that the malware seems to perform a\r\nfilesize check, so that if an analyst attempts to alter the size the malware errors out. If I remove even 1 byte, it\r\nerrors, if I add even 1 byte, it errors.... but... if I just flip a bunch of the NULL Bytes and the file size remains the\r\nsame, it works fine. Below are acouple interesting screenshots of the padding and the import of GetFileSize which\r\nmight be used to see if the file was altered (ie. padding removed). NOTE: The April 2021 variant appears to\r\nhave dropped much of the padding, file sizes are now 16-17MB\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 6 of 12\n\nAt this point, I feel we have a good sense of the initial vector for this. We know a lot based on the Red Canary and\r\nMorphisec write-ups, we know that the malware drops and launches a legit program as a red herring in this case\r\nSoda PDF, we also know that it drops 2 .txt files in appdata\\local\\temp, which are really powershell files. The first\r\none decodes the second one, then they delete themselves.\r\nThis is because they create persistence in the form of a .cmd file (which launches powershell) it also drops a larger\r\nfile which is a heavily encoded file that is decoded from the .cmd file.\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 7 of 12\n\nTwo other interesting things happen during all of this.... 1, the powershell process connects to the C2 per the\r\nloaded DLL and even more interesting is that is modifies existing desktop LNK files (shortcuts), keeping the\r\noriginal launch string and then adds an operator to also launch the .CMD file!\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 8 of 12\n\nThat's Right! My PEStudio still launches.... along with the malware!\r\nOK, so for a little bit of fun, I'll quickly go over how you can easily decode this malware and extract the malicious\r\nDLL.\r\nFirst, we modify the .CMD file a bit, comment out or remove the [system.reflection.......] line, and remove\r\neverything before (and including) the bracket {. Save the file as .ps1 for ease.\r\nNext, we put in a line \"Write-Output(Variable being loaded from system.reflection) | Out-File \"c:\\.....\"\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 9 of 12\n\nAt this point, this is simple encoding. I've been using CyberChef \"From CharCode\", Delimiter \"Line Feed\" \"Base\r\n10\" to quickly get the DLL at this point.\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 10 of 12\n\nHopefully this helps provide some additional details on this malware, below are the IOCs for this specific\r\nexample. Happy Hunting!\r\nIOCs From initial writing:\r\nInitial Executable: da2eb36e763ecf1a47532e9f8efeacb7\r\nMalicious DLL: 147666fdb5f64f46a0a0add2cc428ec8\r\nC2: 91.241.19[.]110\r\nObserved Redirect Domains:\r\ndyrepopo[.]gq\r\nfeedsterbomiditsign[.]tk\r\nlistlypdilaho[.]tk\r\ncallnogrenisso[.]tk\r\nselldunlop[.]site\r\nspherdoorgfinversbrookin[.]tk\r\ntioblutrockbarneyprec[.]tk\r\nthiecorbeluno[.]tk\r\nVT Enterprise Hunting Tactics\r\nIcon Hash searching:\r\nPDF page that holds embeeded links to series of redirects: main_icon_dhash:94148c3333001100\r\nPDF page that holds embeeded links to series of redirects: main_icon_dhash:94228c3333001100\r\nPDF page that holds embeeded links to series of redirects: main_icon_dhash:0f0f0307332f3f19\r\nFake Word Document Icon Hash for dropper file: main_icon_dhash:64dcd4d2c4c4d0d4\r\nFake PDF Document Icon Hash for dropper file: main_icon_dhash:b2b29696969ef66a size:100MB+\r\nFake PDF Document Icon Hash for dropper April 2021: main_icon_dhash:b2b29696969ef66a\r\nFake PDF Document Icon Hash for dropper September 2021: main_icon_dhash:64e4d4d4e8f4dcd4\r\nFake PDF Document Icon Hash for dropper May 2023:main_icon_dhash:74e4d4d4ecf4d4d4\r\nMarch 2022 VirusTotal search for Dropper:entity:file tag:signed type:peexe size:250MB+ size:270MB-packer:\".NET executable\"\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 11 of 12\n\nYARA Rules:\r\nSolarMarker March 2022 Malicious DLL Detection\r\nSolarMarker 2021 DLL Detection\r\nSuspicious_Powershell_Strings\r\nOpenIOC Rules:\r\nSolarmarker.dat File Creation (OpenIOC)\r\nSuspicious_Porcesses_Writing_to_Startup (OpenIOC)\r\nSIGMA Rules:\r\nSolarmarker.dat File Creation (SIGMA)\r\nSuspicious_Porcesses_Writing_to_Startup (SIGMA)\r\nUpdates:\r\nPulled one of the initial files that gets deleted after running, along with the powershell script that decodes\r\nand runs it:\r\nhttps://app.any.run/tasks/fcd6eeb7-91bb-4e1d-b02d-983bae3786ec#\r\nMarch 2022 App.Any.Run sandbox run/\r\nExample Observed Lures from google searches:\r\nsite:byzcath[.]org \"free template\"\r\nhttp://byzcath[.]org/nfl-playoff-bracket-excel-spreadsheet\r\nsite:www.braveheartmarine[.]com \"free template\"\r\nhttps://www.braveheartmarine[.]com/free-invoice-template-for-handyman\r\nsite:prismic-io.s3.amazonaws[.]com \"free template\"\r\nhttps://prismic-io.s3.amazonaws[.]com/whatsimdb/0fe19bd3-88a8-4ab5-b451-d78f1be51ef2_free-bbq-tickets-template-word.pdf\r\nsite:cdn.shopify[.]com \"free template\"\r\nsite:healingwithclarity.com \"free template\"\r\nhttps://healingwithclarity[.]com/platte-county-warrant-list.pdf\r\nsite:strikinglycdn.com \"free template\"\r\nhttps://uploads.strikinglycdn[.]com/files/18aa0685-0e17-4ea4-b308-1a717e293267/free-template-for-waiver-of-liability.pdf\r\nSource: https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nhttps://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html" ], "report_names": [ "tracking-jupyter-malware.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439093, "ts_updated_at": 1775791314, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e58270267e648600f59d39cf5c19a92ba150d74e.pdf", "text": "https://archive.orkl.eu/e58270267e648600f59d39cf5c19a92ba150d74e.txt", "img": "https://archive.orkl.eu/e58270267e648600f59d39cf5c19a92ba150d74e.jpg" } }