Jupyter trojan, the malware that targets businesses and higher education to steal usernames, passwords, and other private information, is active again. Recently, it has been observed targeting a higher education establishment in the U.S.

What happened?

The trojan has been active since May and targets popular web browsers such as Chromium, Firefox, and Chrome browser data.
  • This trojan creates a persistent backdoor in compromised systems. It allows attackers to execute PowerShell scripts and commands, along with the ability to execute and download new malware.
  • The trojan installer is hidden in a zipped file. It uses Microsoft Word icons and file names, pretending to be important documents, travel details, or pay rise.
  • If the installer is executed, it will install genuine tools to hide the real goal of the installation, which is running a malicious installer in temporary folders in the background.
  • After being installed on the system, it steals information such as passwords, usernames, cookies, autocompletes, and browsing history. It then sends the stolen data to a command and control server. 

Additional insights

  • The trojan originates from Russia and is linked to C2 servers located in the same region.
  • In addition, reverse image searching of the planet Jupiter in the info stealers admin panel exposed origins from a Russian-language forum.
  • The motive of the cybercriminals behind this trojan could be stealing highly sensitive data or selling login credentials to other cybercriminals.


The campaign is ongoing, therefore, organizations need to be aware and prepared to face such threats. Experts suggest using a reliable anti-malware solution, encrypting important information, blocking spam emails using email gateways, and providing training to employees to spot malicious emails.

Cyware Publisher