SolarMarker Attack Leverages Weak WordPress Sites, Fake Chrome Browser Updates

The SolarMarker group is exploiting a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, part of a new tactic in its watering-hole attacks.

Researchers have discovered the cyberattack group behind the SolarMarker malware targeting a global tax consulting organization with a presence in the US, Canada, the UK, and Europe, which is using fake Chrome browser updates as part of watering hole attacks.
Its a new approach for the group, replacing its previous method of search engine optimization (SEO) poisoning, also known as spamdexing.
SolarMarker is multistage malware which can exfiltrate autofill data, saved passwords, and saved credit card information from victims Web browsers.
According to
an advisory
published by eSentires Threat Response Unit (TRU) on Friday, the threat group was seen exploiting weaknesses in a medical equipment manufacturers website, which was built with the popular open source content management system WordPress.
The victim was an employee of a tax consulting organization and searched for the manufacturer by name on Google.
This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update, the advisory noted.
The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website, the advisory added. Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page.
It is unclear whether the SolarMarker group is testing new tactics or preparing for a wider campaign, given that the TRU team has only observed a single infection of this vector type — previous SolarMarker attacks used SEO poisoning to hit people who searched online for free templates of popular business documents and business forms.
The TRU advisory outlines four key steps organizations can take to reduce the impact of these kinds of attacks, including raising employee awareness regarding browser updates that occur automatically, and avoiding downloading files from unknown sites.
Threat actors research the kind of documents businesses look for and try to get in front of them with SEO, the advisory stated. Only use trusted sources when downloading content from the internet, and avoid free and bundled software.
The advisory also recommended more vigilant endpoint monitoring, which TRU adds will require more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to bolster the organizations overall defense posture.
The .NET malware was first discovered in 2020 and is typically spread via a PowerShell installer, with information-gathering capabilities and a backdoor.
In October 2021, Sophos Labs observed a number of active SolarMarker campaigns that followed a common pattern: using SEO techniques, the cybercriminals managed to place links to websites with Trojanized content in the search results of several search engines.
A previous SolarMarker campaign reported by Menlo Security in October 2021 used more than 2,000 unique search terms, luring users to sites that then dropped malicious PDFs
rigged with backdoors
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SolarMarker Attack Leverages Weak WordPress Sites, Fake Chrome Browser Updates