The infamous SolarMarker threat actor group has marked its return with a new twist in its attack tactics. It is now leveraging fake Chrome browser updates as part of watering hole attacks to distribute an info-stealing malware with the same name. 

Compromised WordPress sites serve malware

  • As per researchers from eSentire, the hackers inject SolarMarker info-stealing malware into websites that are known to attract business professionals. 
  • These websites are built using free content management systems (CMS) which can contain vulnerabilities, making them relatively easy to compromise. 
  • Threat actors use the Google Dorking technique and conduct source code searches to identify such vulnerable websites before injecting the malicious code into them.
  • One such compromised website was found belonging to a medical equipment manufacturer. When an employee visits the website, they are prompted to download a fake Chrome update that executes the SolarMarker malware. 

SolarMarker is testing a new method

Previously, the SolarMarker hackers used SEO poisoning to lure professionals to their malware-laden documents. 
  • However, the technique of sniping employees with fake Chrome updates indicates that the attackers are testing a new method to launch their info-stealing malware.
  • It is likely that the attackers are also leveraging fake Firefox and fake Edge updates as part of their new campaign. 


Employees need to be aware of threats associated with browser updates that automatically appear on their screens. They should not download files from any unknown sites or sources as they can be laced with malware. Installing endpoint detection software and leveraging threat intelligence on such malware campaigns can help organizations detect threats at an early stage before they cause further damage.
Cyware Publisher