Jupyter: A Cyberspace Invader Stealing SLTT Data

Executive Summary

The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Threat Intelligence Team (CTI) assesses with moderate confidence that Jupyter, a highly evasive and adaptive .NET infostealer, will continue to opportunistically target state, local, tribal, and territorial (SLTT) organizations. Cyber Threat Actors (CTAs) have deployed Jupyter widely, leveraging SEO-poisoning to create watering hole sites, increasingly infecting SLTT entities since September. Recommendations to better secure your organization are at the end of this report.


Jupyter albert tickets last 6 months


Jupyter (aka SolarMarker) deploys a multi-stage process, leveraging PowerShell and legitimate tools, such as Slim PDF Reader, to drop secondary payloads to fingerprint victim information, including computer name, OS version, architecture, permissions, and user identifier.1 Jupyter is likely impacting SLTTs as part of a broader opportunistic effort, since the malware is affecting an array of sectors, including finance, healthcare, and education.2 Following aspike in activity during the fall, SLTT-Jupyter infections subsided with no incidents in December and a small resurgence through this past month.

Substantive Analysis

The MS-ISAC determined SLTT victims became aware of infections when their endpoint detection and response services (EDR) alerted on unauthorized PowerShell commands attempting to communicate with command and control (C2) traffic. The MS-ISAC continues to investigate why Jupyter operators are harvesting victim information, granting CTAs commonly leveraged infostealers for financial gain and intellectual property theft. Security researchers have observed the Jupyter operators adapting their techniques, tactics, and procedures (TTPs) and malware frequently, so intrusion details are likely to vary across infections.

Despite the irregularity in Jupyter TTPs, several features are common among public-sourced and MS-ISAC-observed breaches. Prior to infection, the Jupyter operators inject over 2,000 keywords to push malicious Google and WordPress3 sites up search engine rankings, using a technique known as SEO-poisoning,4 thereby increasing the likelihood that an unsuspecting user will visit the page. Analysis of an SLTT Jupyter incident revealed that the initial infection occurred after an end-user attempted to download a malicious file embedded with an executable off a compromised website form. The malicious documents will often feature an unassuming name, such as ‘Assignment-Of-Proprietary-Lease-Form-.exe’ to lure users into interacting with it. The installer launches the malicious executable and then Nitro Pro 13 will execute an over 100MB MSI payload, allowing it to bypass antivirus software due to file size limitations.

All observed attacks have shared the objective of harvesting and communicating victim information, including from BIOS and browser, to a C2 address. Appendix “Figure 2” depicts Jupyter’s commonly observed four-stage infection chain, starting with the web-hosted malicious executable.

Indicators of Compromise5

Jupyter frequently shifts infrastructure, so the below-listed IPs may not be active. Organizations are encouraged to leverage these IOCs for threat hunting.

C2 IPs









AppData\Local\Temp\ .\Users\’username’\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup



Targeted File Types

<randomly generated>.lmk

<randomly generated>.cmd

<randomly generated>.ps1

Abused Native Applications


<randomly generated>.ps1

AlienVault Hashes





















MITRE ATT&CK Patterns Observed6


T1059.001 Command and Scripting Interpreter: PowerShell

Defense Evasion

T1027 Obfuscated Files or Information
T1218.007 Signed Binary Proxy Execution: Msiexec


T1083 File and Directory Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery


T1005 Data from Local System

Command and Control

T1071 Application Layer Protocol


T1041 Exfiltration Over C2 Channel

Analytic Confidence

Analytic confidence in this assessment is moderate. Source reliability is moderate with several conflicts among sources, the CTI team attributes to Jupyter’s evolving tactics and infrastructure, as well as variation across security researcher methodology. The analyst used a Circleboard, Timeline, and Key Assumptions Check to perform this analysis.

For questions or comments, please contact us at [email protected].


  • Malicious Domain Blocking and Reporting (MDBR):7a service available to SLTTs to help prevent systems from resolving malicious DNS requests. It provides an additional layer of protection by blocking known bad domains and is proven, effective, and easy to deploy.
  • CIS Endpoint Security Services (ESS):8 a host-driven security solution available to SLTTs that is designed to help mitigate and prevent malicious files from executing on covered systems.
  • Network Intrusion Detection (NID): 9 MS-ISAC’s NID, Albert Network Monitoring and Management, provides signature-based security alerts for both traditional and advanced network threats, helping organizations identify malicious Jupyter activity leveraging known TTPs and IOCs.
  • Application Allowlists:10 recommended under CIS Critical Security Control 2 to help organizations actively manage (inventory, track, and correct) all software on the network so that only authorized software is allowed. Allowlist restrictions can prevent Jupyter from leveraging internal tools to drop additional payloads.
Another key protection is employee education about the potential risks of downloading files from unfamiliar sources. Organizations should restrict the use of administrative tools, like PowerShell, from employees who do not need access. Restricting access to tools like this can help prevent Jupyter’s scripts from successfully running.


  1. https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf
  2. https://www.menlosecurity.com/blog/holy-seo-poisoning/
  3. ibid
  4. https://otx.alienvault.com/pulse/614b28d3e2d3e29b57c77127
  5. https://www.cid.army.mil/assets/docs/2can/SEOPoisoning.pdf
  6. https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html
  7. https://www.cisecurity.org/ms-isac/services/mdbr/
  8. https://www.cisecurity.org/services/endpoint-security-services/ 
  9. https://www.cisecurity.org/services/albert-network-monitoring/
  10. https://www.cisecurity.org/controls/inventory-and-control-of-software-assets/
  11. https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/


crowdstrike jupyter infection chain