Mars-Deimos: From Jupiter to Mars and Back again (Part Two)

This report analyzes the Mars-Deimos / Jupyter (Solarmarker) malware family and its large-scale distribution campaign: attackers host thousands of malicious Google Sites that redirect victims to spoofed Microsoft/Google Drive pages to download oversized executable droppers (often InnoSetup or Delphi-built) which execute obfuscated PowerShell to load info-stealers and backdoors in memory. It documents persistence mechanisms (startup LNK files, randomized AppData folders, custom file-extension registry handlers), indicators (sample SHA256 hashes and solarmarker.dat), evasion techniques (large file sizes, obfuscation), and recommended detection measures (EDR monitoring, PowerShell script logging, YARA memory scanning).