SolarMarker
SolarMarker is a sophisticated malware family and backdoor, also known as Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, that has been active since at least September 2020. The provided content describes it as an SEO-poisoning backdoor with infostealer capability. It has been used in classic search-engine-optimization poisoning campaigns that rely on tiered infrastructure and content farms to attract victims through search results and route them through filtering gates. SolarMarker is capable of stealing data from multiple web browsers and cryptocurrency wallets, and it can deploy additional payloads. The content also notes infrastructure associations: servers clustered with malicious activity were linked alongside BumbleBee, Raccoon Stealer, RecordBreaker, and SolarMarker, and one referenced sample contained a HuggingFace API key. The content recommends organizational controls against SolarMarker but does not provide specific mitigations or high-confidence IOCs beyond these infrastructure and sample references.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Stealth
1 technique
Stealth
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
SEO-poisoning backdoor with infostealer capability; one sample was found carrying a HuggingFace API key.
SolarMarker is portrayed as malware associated with SEO poisoning campaigns that use tiered infrastructure and content farms to lure victims and route them through filtering infrastructure.
Malware associated with a subset of the investigated infrastructure; mentioned alongside other malware families found on related servers.
Backdoor referenced as another malware family whose binaries were signed using certificates tied (via infrastructure analysis) to the same broader signing ecosystem.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.