Solarmarker

Malware Profile Updated 5 days ago
Download STIX
Preview STIX
SolarMarker, also known as Yellow Cockatoo, Polazert, and Jupyter Infostealer, is a sophisticated malware designed to steal information. It has been evolving since 2020 and has been active in various campaigns since 2021. The malware relies heavily on web delivery, using search engine optimization (SEO) tricks to fool targets into downloading malicious payloads. Notably, in 2022, SolarMarker was involved in an "SEO poisoning" campaign, demonstrating the increasing sophistication of its operations. The core of SolarMarker's operations lies in its layered infrastructure, which consists of two clusters: a primary one for active operations and a secondary one likely used for testing new strategies or targeting specific industries or regions. This multi-tiered structure allows the malware to adapt and evolve, making it more challenging to detect and mitigate. The malware also employs advanced evasion techniques such as Authenticode certificates, which lend an air of legitimacy to its malicious payloads, and uses large zip files to bypass antivirus software. In addition to its own campaigns, SolarMarker has been used in conjunction with other malicious toolkits and malware families. For instance, it was dropped as part of the Domen toolkit and sczriptzzbn campaigns, leading to the NetSupport Remote Access Tool (RAT). Furthermore, it was utilized by a HIVE SPIDER affiliate in an attack against a telecommunications sector entity in January 2023. To defend against SolarMarker, it is recommended to enforce application allow-lists to prevent the downloading of seemingly legitimate files containing malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Yellow Cockatoo
1
The SolarMarker malware, also known as Yellow Cockatoo, Polazert, and Jupyter Infostealer, has been a persistent threat since its inception in 2020. It has steadily evolved over the years, posing significant risks to sectors such as education, healthcare, and small to medium-sized enterprises (SMEs)
Jupyter Infostealer
1
The Jupyter Infostealer, also known as Yellow Cockatoo, SolarMarker, and Polazert, is a harmful malware that has been steadily evolving since 2020. This malicious software targets Chrome and Firefox browser data, exploiting and damaging systems it infiltrates. It can infect systems through suspiciou
Jupyter
1
Jupyter, also known as SolarMarker, Yellow Cockatoo, and Jupyter Infostealer, is a malware that has been steadily evolving since 2020. This malicious software targets sectors such as education, healthcare, and small to medium-sized enterprises (SMEs). It is designed to exploit and damage computer sy
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Infostealer
Antivirus
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ChromeloaderUnspecified
1
ChromeLoader, first identified in early 2022, is a persistent and evolving malware family known for hijacking browsers, stealing sensitive information, and running additional payloads such as other malware families. This malicious software is particularly harmful as it can infiltrate systems without
HiveUnspecified
1
Hive, a notorious malware known for its destructive capabilities, has been used by cybercriminals to exploit and damage computer systems. One such instance involved the infamous Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive data to crack passwords offline. This malicious software w
NetsupportUnspecified
1
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
SocgholishUnspecified
1
SocGholish is a harmful malware known for its deceptive methods of infection, often impersonating legitimate browser updates to distribute Remote Access Trojans. This malicious software infiltrates systems through suspicious downloads, emails, or websites, typically without the user's knowledge. Onc
Netsupport RatUnspecified
1
NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
IcedIDUnspecified
1
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GamaredonUnspecified
1
Gamaredon, a threat actor or Advanced Persistent Threat (APT) believed to be of Russian origin, has been actively executing malicious activities primarily against Ukraine since 2013. The group is known for its deployment of home-brewed malware through malicious documents, with the European Union's C
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Solarmarker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Recorded Future
5 days ago
Exploring the Depths of SolarMarker's Multi-tiered Infrastructure | Recorded Future
Recorded Future
2 months ago
Exploring the Depths of SolarMarker's Multi-tiered Infrastructure | Recorded Future
Malwarebytes
4 months ago
Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR | Malwarebytes
Securityaffairs
4 months ago
TheMoon bot infected 40,000 devices in January and February
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #computerhacker - Am I Hacker Proof
Malwarebytes
a year ago
FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT
CrowdStrike
a year ago
DLL Side-Loading: How To Combat Threat Actor Evasion Techniques | CrowdStrike
DARKReading
a year ago
Encrypted Traffic, Once Thought Safe, Now Responsible For Most Cyberthreats