Select Page

Cybersecurity researchers have charted the evolution of Jupyter, a .NET infostealer known for singling out healthcare and education sectors, which make it exceptional at defeating most endpoint security scanning solutions.

The new delivery chain, spotted by Morphisec on September 8, underscores that the malware has not just continued to remain active but also showcases “how threat actors continue to develop their attacks to become more efficient and evasive.” The Israeli company said it’s currently investigating the scale and scope of the attacks.

First documented in November 2020, Jupyter (aka Solarmarker) is likely Russian in origin and primarily targets Chromium, Firefox, and Chrome browser data, with additional capabilities that allow for full backdoor functionality, including features to siphon information and upload the details to a remote server and download and execute further payloads. Forensic evidence gathered by Morphisec shows that multiple versions of Jupyter began emerging starting May 2020.

In August 2021, Cisco Talos attributed the intrusions to a “fairly sophisticated actor largely focused on credential and residual information theft.” Cybersecurity firm CrowdStrike, earlier this February, described the malware as packing a multi-stage, heavily obfuscated PowerShell loader, which leads to the execution of a .NET compiled backdoor.

images from Hacker News