SolarMarker / SOVA Malware
SolarMarker (also associated with SOVA) is a sophisticated information-stealing malware designed to harvest credentials, browser data, and sensitive files.
SolarMarker / SOVA Malware
What it is:
SolarMarker (also associated with SOVA) is a sophisticated information-stealing malware designed to harvest credentials, browser data, and sensitive files. It’s built for stealth, persistence, and large-scale data exfiltration, often used in follow-on attacks like account takeover or ransomware.
Real-world cases & campaigns:
SEO poisoning at scale:
Since at least 2020, SolarMarker operators have used SEO poisoning to push malicious sites to the top of search results, tricking users searching for everyday tools and documents into downloading infected installers.
Fake job platforms (Indeed impersonation):
In 2026, attackers impersonated job sites like Indeed, luring victims into downloading malicious files that installed SolarMarker alongside additional payloads.
Enterprise & education targeting:
Organizations such as school districts have been compromised, with SolarMarker detected exfiltrating data over long periods before discovery.
Fake software & browser updates:
Users have been tricked into downloading trojanized installers or fake Chrome updates, leading to full system compromise.
Persistence in the wild:
Security firms have documented infections maintaining long-term access via startup mechanisms and hidden PowerShell execution, making detection difficult.
Watch Summary Video Below: ⬇️
