Inside the SOC

The Rise of the Lumma Info-Stealer | Malware-as-a-Service

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
Sep 2023
Sep 2023
The emergence of Lumma Stealer, an information stealer that has recently been observed across the Darktrace fleet. Learn more about this new threat!

What are Malware-as-a-Service information stealers?

The Malware-as-a-Service (MaaS) model continues provide would-be threat actors with an inexpensive and relatively straightforward way to carry out sophisticated cyber attacks and achieve their nefarious goals. One common type of MaaS are information stealers that specialize in gathering and exfiltrating sensitive data, such as login credentials and bank details, from affected devices, potentially resulting in significant financial losses for organizations and individuals alike.

What is Lumma Information Stealer?

One such information stealer, dubbed “Lumma”, has been advertised and sold on numerous dark web forums since 2022. Lumma stealer primarily targets cryptocurrency wallets, browser extensions and two-factor authentication (2FA), before ultimately stealing sensitive information from compromised machines. The number of sightings of this malware being distributed on dark web forums is on the rise [1], and thus far, more than a dozen command-and-control (C2) servers have been observed in the wild.

Between January and April 2023, Darktrace observed and investigated multiple instances of Lumma stealer activity across the customer base. Thanks to its anomaly-based approach to threat detection, Darktrace DETECT™ is able to successfully identify and provide visibility over activity associated with such info-stealers, from C2 activity through to the eventual exfiltration of sensitive data.

Lumma Stealer Background

Lumma stealer, previously known as LummaC2, is a subscription-based information stealer that has been observed in the wild since 2022. It is believed to have been developed by the threat actor “Shamel”, under the the alias “Lumma”. The info-stealer has been advertised on dark web forums and also a channel on the Telegram messenger server, which boasts over a thousand subscribers as of May 2023 [2], and is also available on Lumma’s official seller page for as little as USD 250 (Figure 1).

Figure 1: LummaC2’s official seller website [3].

Research on the Russian Market selling stolen credentials has shown that Lumma stealer has been an emerging since early 2023, and joins the list of info stealers that have been on the rise, including Vidar and Racoon [1].

Similar to other info-stealers, Lumma is able to obtain system and installed program data from compromised devices, alongside sensitive information such as cookies, usernames and passwords, credit card numbers, connection history, and cryptocurrency wallet data.

Between January and April 2023, Darktrace has observed Lumma malware activity across multiple customer deployments mostly in the EMEA region, but also in the US. This included data exfiltration to external endpoints related to the Lumma malware. It is likely that this activity resulted from the download of trojanized software files or users falling victim to malicious emails containing Lumma payloads.

Lumma Attack Details and Darktrace Coverage

Typically, Lumma has been distributed disguised as cracked or fake popular software like VLC or ChatGPT. Recently though, threat actors have also delivered the malware through emails containing payloads in the form of attachments or links impersonating well-known companies. For example, in February 2023, a streamer in South Korea was targeted with a spear-phishing email in which the sender impersonated the video game company Bandai Namco [4].

Lumma is known to target Windows operating systems from Windows 7 to 11 and at least 10 different browsers including Google Chrome, Microsoft Edge, and Mozilla Firefox [5]. It has also been observed targeting crypto wallets like Binance and Ethereum, as well as crypto wallet and 2FA browser extensions like Metamask and Authenticator respectively [6]. Data from applications such as AnyDesk or KeePass can also be exfiltrated by the malware [7].

An infection with Lumma can lead to the user's information being abused for fraud, for example, using stolen credentials to hijack bank accounts, which in turn could result in significant financial losses.

Once the targeted data is obtained, it is exfiltrated to a C2 server, as Darktrace has observed on multiple customer environments affected with Lumma stealer. Darktrace DETECT identified multiple infected devices exfiltrating data via HTTP POST requests to known Lumma C2 servers. During these connections, DETECT commonly observed the URI “/c2sock” and the user agent “TeslaBrowser/5.5”.

In one instance, Darktrace detected a device using the “TeslaBrowser/5.5” user agent, which it recognized as a new user agent for this device, whilst making a HTTP post request to an unusual IP address, 82.117.255[.]127 (Figure 3). Darktrace’s Self-Learning AI understood that this represented a deviation from expected behavior for this device and brought it to the attention of the customer’s security team.

Figure 2: Device Event Log on the Darktrace DETECT Threat Visualizer showing activity from a device infected with Lumma stealer and the DETECT models it breached.

Further investigation revealed that accessing the IP address using a web browser and changing the the URI to “/login”, would take a user to a Russian Lumma control panel access page (Figure 4)

Figure 3: One of Lumma stealer’s C2 servers accessed via a web browser in a secured environment.

A deep dive into the packet captures (PCAP) of the HTTP POST requests taken from one device also confirmed that browser data, including Google Chrome history files, system information in the form of a System.txt file, and other program data such as AnyDesk configuration files were being exfiltrated from the customer’s network(Figures 5 and 6).

Figure 4: HTTP objects observed during Lumma Stealer POSTing of data to another one of its  C2 servers.
Figure 5: PCAP of HTTP stream showing the different types of data being exfiltrated.

Additionally, on one particular device, Darktrace observed malicious external connections related to other malware strains, like Laplas Clipper, Raccoon Stealer, Vidar, RedLine info-stealers and trojans, around the same time as the Lumma C2 connections. These info-stealers are commonly marketed as MaaS and can be bought and used for a relatively inexpensive price by even the most inexperienced threat actors. It is also likely that the developers of these info-stealers have been making efforts to integrate their strains into the activities of traffer teams [8], organized cybercrime groups who specialize in credential theft with the use of info-stealers.


Mirroring the general emergence and rise of information stealers across the cyber threat landscape, Lumma stealer continues to represent a significant concern to orgaizations and individuals alike.

Moreover, as yet another example of MaaS, Lumma is readily available for threat actors to launch their attacks, regardless of their level of expertise, meaning the number of incidents is only likely to rise. As such, it is essential for organizations to have security measures in place that are able to recognize unusual behavior that may be indicactive of an info-stealer compromise, while not relying on a static list of indicators of compromise (IoCs).

Darktrace DETECT’s anomaly-based detection enabled it to uncover the presence of Lumma across multiple customer environments across different regions and industries. From the detection of unusual connections to C2 infrastructure to the ultimate exfiltration of customer data, Darktrace provided affected customers full visibility over Lumma infections, allowing them to identify compromised devices and take action to prevent further data loss and reduce the risk of incurring significant financial losses.

Credit to: Emily Megan Lim, Cyber Security Analyst, Signe Zaharka, Senior Cyber Security Analyst


Darktrace DETECT Models

·      Anomalous Connection / New User Agent to IP Without Hostname  

·      Device / New User Agent and New IP

·      Device / New User Agent

·      Anomalous Connection / Posting HTTP to IP Without Hostname

Cyber AI Analyst Incidents

·      Possible HTTP Command and Control

·      Possible HTTP Command and Control to Multiple Endpoints

List of IoCs

IoC - Type - Description + Confidence


IP address

Lumma C2 Infrastructure


IP address

Lumma C2 Infrastructure


IP address

Lumma C2 Infrastructure


IP address

Lumma C2 Infrastructure


IP address

Lumma C2 Infrastructure


IP address

Lumma C2 Infrastructure



Lumma C2 POST Request


User agent

Lumma C2 POST Request


Tactic: Command and Control -

Technique: T1071.001 – Web Protocols










Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Emily Megan Lim
Cyber Analyst
Book a 1-1 meeting with one of our experts
share this article
No items found.
COre coverage
No items found.

More in this series

No items found.


No items found.

How 1.27 Centimeters Opened My Eyes to Continuous Threat and Exposure Management

Default blog imageDefault blog image
Jul 2024


Fifteen years ago, I never realized that one point twenty-seven centimeters was the difference between keeping my family safe and having an intruder break into our home.

Yet that is exactly what happened. We came home one night and did not know intruders were already in our basement; and the only reason we were alerted to their presence was when they attempted to move to the upper levels after we had gone to sleep, and the main floor motion sensors triggered an alarm.

Fortunately, they fled. Some stolen electronics and a broken door were all the damage we suffered – and we realized how lucky we were as things could have ended up a lot worse.

Fortunately, they fled. Some stolen electronics and a broken door were all the damage we suffered – and we realized how lucky we were as things could have ended up a lot worse.

The culprit of the successful breach? Screws measuring 1.27 centimeters (that’s a half-inch if you’re not on the metric system yet) that held the glass windows of our basement French doors. Despite having door opening sensors and glass breakage sensors, we missed that the glass panel could be forcefully kicked out – and land – onto the carpeted floor.  No door was opened. No glass was broken (we used to have cats that roamed the basement, so motion sensors were not an option when we first moved in). The screws were not long enough to better secure the framing of the window.

Continuous Threat and Exposure Management

What does this have to do with CTEM, or Continuous Threat and Exposure Management? Well, once our situation changed and our cats were no longer with us; we a) did not reassess our detection capabilities and b) still did not realize we had a vulnerability exposure that could lead to a breach.

I fell into the same trap many organizations fall into where point in time assessments can create a false sense of security. Instead, CTEM offers a cyclical approach to assessing risk that involves five stages:  

Scope: To adopt a CTEM approach, organizations should first identify key business programs. There should be an understanding for each program what the impact to the business would be if something were to occur. An organization can, and most likely will, have multiple scopes defined as part of the CTEM process. For example, your customer relationship management (CRM) project may encompass a Saas solution such as SalesForce, tie-ins with selling partners, supply chain vendors, and multiple user groups (sales, finance, etc.).

Discover: Next, identification of systems, applications, and SaaS subscriptions that support the business program should be accounted for and documented. As you build out risk profiles for these assets, I believe it is also important to identify associated users (end-users, administrators, etc.), especially since user error / account takeover is a favored attack vector.

Prioritization: Proper prioritization is essential to a solid CTEM program. I go into more detail about Risk-Based Vulnerability Management (RBVM) later; but for now, prioritization deals with measuring the potential impact based on factors such as: prevalence of an exploit, lack of controls, program / asset criticality, and available mitigations.

Validation: This stage helps identify if an adversary could launch a successful attack. Red team exercises and breach simulation solutions are often utilized to exercise the organization’s ability to halt an attack before damage is done. Validation should go beyond the initial stage of the attack and explore available methods to reach the adversary’s mission objective.

Mobilization: Identified responses to breach attempts should be categorized into automated or manual processes. Automated response solutions such as Security Orchestration, Automation, and Response (SOAR) can be integral in ensuring actions are taken with appropriate authorization, remediation / response times are rapid, and procedures are executed without human error.

A properly managed CTEM program will help ensure survivability and rapid recovery when an attack occurs as well as minimizing the risk of an attack being successful. This also helps organizations move towards a more proactive security posture.

Implementing a Risk-Based Vulnerability Management Program

Now don’t get me wrong. I thought I had done a pretty good job covering the bases when we first moved in. I walked the alarm company “expert” through every room of the house, and we discussed every possible entry point. I ensured that every avenue of access was covered by two types of sensors. I asked questions about how an intruder was most likely to attempt to gain entry and ensured we had addressed the exposure.

I relied on the expertise of someone that while they worked for an alarm company, was not actually trained and experienced in criminal break-ins. At the end of this paper, I will list the recommendations made by a friend of ours that was a Deputy Chief of Police. Hint: It was eye-opening.

Risk-Based Vulnerability Management (RBVM) is an approach that helps organizations not boil the ocean (try to address every possible vulnerability that may exist) and avoid becoming myopically focused that you miss an attack path that is relevant.

Without expending the entire blog on all the details of CTEM and RBVM, let’s touch on the main components.

Vulnerability Scanning

Vulnerability Scanners can help you identify all the vulnerabilities that exist in your organization but are generally a point in time view. Update systems or applications, change configuration settings, deploy new systems or applications and the scan data may be meaningless – not to mention new vulnerabilities are discovered all the time.

CVE, or Common Vulnerabilities and Exposures, is a compilation of all known vulnerabilities. I emphasize known because adversaries love finding zero-days (and for how I describe zero-days, check out my LinkedIn posting: Race to the Bottom).

CVSS, or Common Vulnerability Scoring System, is a method to define the severity of the vulnerability. Scoring can be determined by things like complexity and skill to utilize the vulnerability, privileges required, what type of attack path is needed, and if user interaction is required to trigger the vulnerability.

CVE and CVSS however, do not address context of the vulnerability in an organization’s environment. A small number of vulnerabilities will account for the most risk in an organization. Remember, adversaries don’t care about risk scores…. If it gets them in, they will use it.

EPSS, or Exploit Prediction Scoring System, estimates whether a vulnerability is likely to be utilized by adversaries and provides an indication of the threat level to the organization.

Another nuance is ensuring you understand how the scanner is gathering and reporting vulnerabilities. One of my favorite questions to ask candidates I’ve interviewed is “How can two scanners interrogate the same system, where nothing changed in the system, both scanners executed flawlessly and knew to scan for the specific vulnerability…. yet one reports vulnerable and the other reports not vulnerable?” I had this occur, and the answer was that one scanner interrogated the running service, and based on how it responded could determine if the vulnerable version was running. The other scanner authenticated into the system and checked patch level installed – but the service/system had not been restarted. The configured state was NOT vulnerable, but the running state WAS vulnerable. This happens a lot after Microsoft Super Tuesday patches go out and users login and think “I’ve got work to do; I will reboot later”.

External Attack Surface Management (EASM)

Simply put, you can have a vulnerability, but if there is no path to exploiting the vulnerability, then the risk should be lowered. Even a high severity vulnerability is not a risk if it cannot be exploited, whereas a low-risk vulnerability (like 1.27cm screws) can provide a path to success for the adversary. EASM solutions were built to provide that context: Vulnerability + Exposure. BTW – I would not neglect Internal Attack Surface Management for potential Insider Threat risks.

Breach and Attack Simulation (BAS)

YARN | On my mark, rotate launch keys to "launch." | WarGames | Video gifs  by quotes | 24d1705c | 紗

It’s one thing to list vulnerabilities, another thing to say there are exposed systems with those vulnerabilities that could lead to an attack. But executing an attack simulation that shows you what the potential outcome(s) are if an attack occurred? This is what BAS solutions were built to assist with, and not only show attack paths ripe for exploitation, but also exercise SOC / IR teams in nearly real-world situations. Table-top exercises are good for verifying processes, but live-fire exercises are imperative to ensure your teams respond quickly and precisely when the real deal occurs (don’t make me whip out the beginning of Wargames on you, I’ve already used that movie twice before!).  

Risk-Based Context

I’ve often wondered why it’s 2024, I’ve been doing this for 30+ years, and breaches are still inevitable and security teams still struggle with many of the same issues they faced when I first got into this career.

I believe not addressing an RBVM approach could be one of those reasons. It’s not a priority if you have a vulnerability on a system that is not exposed for exploitation. It’s not a priority if a vulnerability has been mitigated by other compensating controls. Focusing solely on vulnerability scoring without regard to whether the vulnerability poses a real and credible threat to your organization diverts focus away from vulnerabilities that matter (this is the same mantra you will hear me evangelizing around SOCs expending time on alerts that do not matter).

When assessing context, I think of it in the following manner:

How Can Darktrace Help with your CTEM?

The Darktrace ActiveAI Security Platform is designed with CTEM in mind. Using patented AI capabilities at its core, components of the platform work in harmony to provide actionable intelligence to risks facing the organization.

PREVENT/ASM utilizes AI to help understand scope and what makes externally facing assets yours while providing associated risks and trends on the risk types identified. These findings are communicated to DETECT and RESPOND to harden critical paths.

Prevent/End-to-End (E2E) delivers attack path modeling for discovery and prioritization of high-value targets across all assets in your program’s scope, providing continuous visibility into relevant risks the organization faces.  E2E also utilizes AI-generated social engineering generated content for Breach & Attack Emulation scenarios involving Phishing / Spear-Phishing attack vectors.

Darktrace threat detection and autonomous response utilizes unsupervised machine learning at its core to identify anomalous activity, and if malicious events are occurring, enforce Pattern of Life allowing business operations to continue while stopping the breach from progressing.  This provides unprecedented speed of response to emerging threats.

So, ensure you’re addressing vulnerabilities in the proper context, because you never know when 1.27cm will ruin your day.

Appendix A: Deter Burglars from Breaking into Your Home

Another question I have asked candidates centers around what security controls they would implement to keep an advanced adversary away from a highly classified project; and shockingly, very few would mention any physical security controls or use of air-gapped networks. So, as promised, here are some recommendations from our Deputy Chief of Police friend on better securing your home, because we must protect ourselves, our information on our home and work computers, especially for remote staff:

32 in. x 80 in. Rustic Knotty Alder 2-Panel Square Top Left-Hand/Inswing  Grey Stain Wood Prehung Front Door
  1. Solid (no glass) doors that open outward for rear / side entryways – a kicked door will press against the framing providing stability. Hinges should not be exposed to the outside.  

STASUN LED Flood Light Outdoor, 150W 15000lm Outdoor Area Lighting, IP66  Waterproof Exterior Floodlight Commercial Security Light, 3000K Warm White,  3 ...
  1. Motion activated exterior flood lights – illumination is the enemy of thieves.  

Mortise Lock Set Screws (2 Screws Per Pack)
  1. Replace door hardware lockset screws with minimum 4-inch (that’s 10.16 centimeters) screws on all doors including interior ones – this should ensure screws firmly attach to trimmer and king studs in door frame and will add additional valuable seconds for the intruder to break through

home security Memes & GIFs - Imgflip
Dog Food Bowl
  1. Get a dog – a big dog. (I’ve amended this to include putting out fake dog bowls to make it look like you have a big dog!)  

SPT Interior/Exterior Simulated Security Camera
  1. Exterior video cameras – record and alert on activity around the house
LARSON Platinum Secure Glass Full-view Aluminum Storm Door With Quickfit  Handle | Retractable Screen Door Lowes |
  1. Tempered Safety Glass Storm Doors – whack at it for hours with a baseball bat and they still can’t get in
Should You Install Fake Home Security Yard Signs? – Forbes Home
  1. Alarm system warning signs for windows and doors
LG Electronics Recalls Free-Standing 86-Inch Smart Televisions and Stands  Due to Serious Tip-Over and Entrapment Hazards (Recall Alert) |
  1. Pictures of valuables along with serial numbers (this won’t stop a break-in but could help in recovery of stolen items).

  1. Finally, an alarm system combining motion sensors with door/window sensors.
Continue reading
About the author
John Bradshaw
Sr. Director, Technical Marketing


Inside the SOC

Jupyter Ascending: Darktrace’s Investigation of the Adaptive Jupyter Information Stealer

Default blog imageDefault blog image
Jul 2024

What is Malware as a Service (MaaS)?

Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.

This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.

The Growing MaaS Marketplace

The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.

Examples of Malware as a Service

  • Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.
  • Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.
  • Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
  • Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.

How does information stealer malware work?

Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.

After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.

What is Jupyter information stealer and how does it work?

The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.

The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:

  • C2 infrastructure
  • Ability to download and execute malware
  • Execution of PowerShell scripts and commands
  • Injecting shellcode into legitimate windows applications

Darktrace Coverage of Jupyter information stealer

In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:

  • HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
  • HTTP POST requests specifically to the root directory of a rare external endpoint.
  • Data streams being sent to unusual external endpoints
  • Anomalous PowerShell execution was observed on numerous affected networks.

Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].

Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.
Figure 1: Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.

This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.

This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.
Figure 2: This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.

Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.

PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.
Figure 3: PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.

In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].

Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.

In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].

Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.

Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.
Figure 4: Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.

In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.

The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).
Figure 5: The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).


The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.

Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.

Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)












Darktrace Model Detections

  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Compromise / HTTP Beaconing to Rare Destination
  • Unusual Activity / Unusual External Data to New Endpoints
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Large Number of Suspicious Successful Connections
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Excessive Posts to Root
  • Compromise / Sustained SSL or HTTP Increase
  • Security Integration / High Severity Integration Detection
  • Security Integration / Low Severity Integration Detection
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Unusual Activity / Unusual External Data Transfer

AI Analyst Incidents:

  • Unusual Repeated Connections
  • Possible HTTP Command and Control to Multiple Endpoints
  • Possible HTTP Command and Control

List of IoCs

Indicators – Type – Description


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint


IP Address

Jupyter info-stealer C2 Endpoint

Continue reading
About the author
Nahisha Nobregas
SOC Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.