SolarMarker uses process injection to run the hVNC and data staging payload. The actors behind SolarMarker primarily utilize .NET for the majority of their payloads, with the notable exception of the observed hVNC backdoor, which is written in Delphi. The initial infection triggers numerous PowerShell processes, resulting in a highly noticeable activity pattern. The threat actor(s) started crafting their own websites to host the landing pages. eSentire are currently seeing versions JN-2, JN-10 and M-VII being deployed.

Click for details.