Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)

This report analyzes the persistence stage of the Mars-Deimos backdoor (also documented as Solarmarker/Jupyter), deobfuscating a PowerShell script that decodes a second file, XOR-decrypts it, loads a .NET assembly into memory, and uses modified desktop shortcuts for persistence; dynamic analysis revealed creation of a static artifact (solarmarker.dat) useful for detection and remediation. The author documents methods to extract the in-memory binary to disk for static analysis, demonstrates dynamic triage using Sysinternals, and highlights detection gaps and recommended response actions.