{"id":3249,"date":"2021-09-27T16:08:06","date_gmt":"2021-09-27T16:08:06","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3249"},"modified":"2026-06-08T22:57:54","modified_gmt":"2026-06-08T22:57:54","slug":"jupyter-malware-new-variant","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/jupyter-malware-new-variant\/","title":{"rendered":"New variant of the Jupyter malware"},"content":{"rendered":"\n

Jupyter<\/strong> is an infostealer<\/em> of probable Russian origin designed to steal victims’ personal and sensitive information. Its primary function is to extract stored information<\/strong> within browsers such as Chromium<\/strong>, Firefox<\/strong>, and Chrome<\/strong>; it also includes backdoor functionality, which allows threat actors to execute PowerShell code and install additional malware on compromised machines. It is known as a multi-stage packed<\/em> malware, heavily obfuscated, which through PowerShell code leads to the execution of a .NET backdoor<\/strong>.<\/p>\n\n\n\n

A new variant of this infostealer<\/em> has recently been identified (link<\/a>). The compromise chain begins through an MSI file exceeding 100 MB<\/strong> in size. This size allows it to evade detection by online antivirus engines. The file appears to have been created using a trial<\/em> version of Advanced Installer software, which enables the creation of all-in-one application packages.<\/p>\n\n\n\n

General information:<\/p>\n\n\n\n

\"\"
Fig. 1 – Sample Information<\/figcaption><\/figure><\/div>\n\n\n\n

Execution of the MSI payload triggers PowerShell code embedded within a legitimate Nitro Pro 13 binary. In the final execution phase of the sample, the Jupyter .NET module is decoded and executed in memory. During execution, contact is established with the C2 server domain at 37.120.237[.]251.

<\/p>\n\n\n\n

Sample relationships:<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"
Communication between the MSI sample and the C2 server<\/figcaption><\/figure><\/div>\n\n\n\n

Two variants have been identified bearing certificates belonging to a Polish company. It is assessed that threat actors obtained the certificate through a cyber attack against that organization. Analysis of such certificate abuse patterns is a critical component of Cyber Threat Intelligence<\/a> operations, enabling defenders to correlate infrastructure reuse and supply-chain compromise indicators.<\/p>\n\n\n\n

\"\"
Certificate revocation<\/figcaption><\/figure><\/div>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Jupyter (SolarMarker) malware new variant: PowerShell-driven loader, infostealer modules, persistence techniques and IOC indicators.<\/p>\n","protected":false},"author":1,"featured_media":3387,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3212,1627,3245,1439,3247,3246],"class_list":["post-3249","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-information-stealer","tag-jupyter-it","tag-jupyter-malware","tag-malware-it","tag-powershell-loader","tag-solarmarker"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3249"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3249\/revisions"}],"predecessor-version":[{"id":9888,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3249\/revisions\/9888"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3387"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}