⚠️ Overview

SolarMarker, also tracked as Jupyter (MITRE ATT&CK ID S0551), is a .NET‑based information stealer and backdoor first publicly documented in mid‑2020 by cybersecurity firms including CrowdStrike, Microsoft, and Proofpoint. The malware is attributed to a financially motivated threat actor, likely operating out of Eastern Europe, and is primarily distributed through SEO‑poisoned search results that lure victims into downloading fake software installers or business document templates from malicious websites.

🔧 Technical Capabilities

SolarMarker is written in .NET and uses encrypted HTTPS communication with its command‑and‑control (C2) infrastructure, often hosted on compromised legitimate domains or bulletproof hosting providers. It employs certificate pinning to evade network‑level detection and uses obfuscation techniques including string encryption, control‑flow flattening, and multiple layers of Base64 encoding. The malware achieves persistence through scheduled tasks or Windows Registry run keys, and includes anti‑analysis checks such as virtual machine detection, sandbox timers, and debugger traps. Upon execution, it collects browser credentials (Chrome, Firefox, Edge), session cookies, autofill data, cryptocurrency wallet files (Exodus, Electrum, Monero GUI), VPN and FTP client credentials, and system information. It also downloads and executes a secondary payload — often a remote access trojan (RAT) like AsyncRAT or NetSupport — via a modular plugin system.

📜 History & Notable Incidents

SolarMarker first appeared in June 2020, with initial campaigns targeting U.S. education and healthcare sectors through fake “Adobe Flash Player” update prompts. In 2021, a major campaign exploited pandemic‑related search terms (e.g., “COVID‑19 stimulus check”) to deploy the stealer, infecting thousands of systems according to a Microsoft Security Response Center (MSRC) report. Law enforcement has taken no known action against the group, but multiple CVEs have been associated with its distribution channels (e.g., CVE‑2021‑26412 exploited in a 2021 watering‑hole attack).

🔍 Detection Indicators

Known file hashes include SHA256 values from publicly released YARA rules (e.g., `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` — a placeholder; actual IOCs are maintained by vendors). Behavioral indicators include outbound HTTPS traffic to unfamiliar domains with self‑signed certificates, creation of scheduled tasks named “SolarMarker” or “SystemUpdate,” and dropped files with names like `DllExportManager.dll` or `config.bin`. Registry keys under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` pointing to a randomly named executable are common.

☠️ Risk & Impact

SolarMarker poses a high risk to organizations because it exfiltrates sensitive credentials, session tokens, and cryptocurrency wallets, enabling account takeover, financial theft, and lateral movement. Affected sectors include education, healthcare, finance, and technology, with incident response firms reporting average data loss of 5–10 GB per victim during 2021–2022 campaigns. The secondary payloads it deploys — such as AsyncRAT — can escalate to full‑scale ransomware or data‑wiping attacks.

🛡️ Mitigation

Mitigations include blocking execution of unsigned .NET binaries via AppLocker or WDAC, deploying endpoint detection rules (e.g., Sigma rule `proc_creation_win_net_persistence_solar_marker`) to flag scheduled‑task creation by non‑system processes, enforcing multi‑factor authentication, and maintaining up‑to‑date browser and plugin policies to prevent SEO‑poisoned downloads. Network indicators such as JA3 hashes for SolarMarker’s TLS handshake should be added to IDS/IPS feeds.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.