Monday, May 12, 2025
HomeCyber Security NewsA New Version of SolarMarker Malware Steals Passwords and Credit Card Data

A New Version of SolarMarker Malware Steals Passwords and Credit Card Data

Published on

SIEM as a Service

Follow Us on Google News

SolarMarker’s latest version, which augments its capabilities, has been revealed recently by cybersecurity researchers PaloAlto Networks. While this new version of SolarMarker (aka Jupyter) is designed to enhance its defense capabilities and evasion capabilities to evade detection.

As part of its identity theft and backdoor capabilities, SolarMarker malware operates mainly through search engine optimization (SEO) manipulation, which makes it particularly dangerous.

A considerable amount of effort is placed into defense evasion, which includes a variety of techniques that the malware employs, and here below we have mentioned them:-

- Advertisement - Google News
  • Signed files
  • Huge files
  • Impersonation of legitimate software installations
  • Obfuscated PowerShell scripts

SolarMarker’s Capabilities

Here below we have mentioned all the primary capabilities of SolarMarker malware:-

  • Exfiltration of auto-fill data
  • Saved passwords
  • Saved credit card information from victims’ web browsers
  • File transfer capabilities 
  • File execution capabilities
  • Execute arbitrary commands retrieved from a remote server

Key Changes in the New Version of SolarMarker

Here below we have mentioned all the key changes done in the new version of SolarMarker:-

  • The dropper is switched back to executables instead of MSI, so that executables are used to drop the files.
  • Adds support for larger volumes of dropper files.
  • There is always a valid company-signed signature on the dropper files.
  • This script has been modified to work with PowerShell.
  • Unlike the previous version, when this new version infects the victim’s computer for the first time, the backdoor will automatically be loaded into the dropper process.

Deployment of SolarMarker

SolarMarker began establishing long-term persistence on compromised systems in February 2022 when the operators of the program were observed using stealthy Windows Registry tricks for deploying the program.

In its initial stage, an EXE file larger than 250MB will be used by the operators. It has become a common practice on the Internet to host certain utilities and products on fake websites that are filled with keywords and were optimized in ways to be classified as high-ranking results.

Since the dropper’s initial stage file size is quite large, it is able to avoid automatic analysis by AV tools and engines. However, it has also been designed to be able to download and install legitimate programs from the Internet.

As a result, a PowerShell installer is activated in the background and the SolarMarker malware is effectively deployed.

The SolarMarker backdoor, which consists of a .NET payload, is capable of conducting internal reconnaissance. Afterward, the vacuum extracts data from the system, which is then transmitted to the remote server via an encrypted connection.

A SolarMarker implant, in addition to being a conduit to get information from a victim machine, is also a part of the information-stealing system.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...