Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
HomeThreat Actors
Solar Spider
Threat Actor Profile

Solar Spider

Solar Spider is a financially motivated eCrime actor that loves to go phishing. Known for its targeted campaigns against banks and financial services, this group uses sophisticated social engineering and custom malware to get what it wants. Their signature tool is the JSOutProx remote access trojan (RAT), a nasty piece of JavaScript-based malware.

Threat Actor Profile

Solar Spider

Country of Origin

It's a bit murky. While most security researchers classify Solar Spider as a criminal enterprise focused on financial gain, some of its tooling and campaigns have fingerprints that point toward a China-nexus. However, there isn't a consensus that this group is operating under a nation-state direction. So, for now, the exact origin remains unconfirmed.

Members

The exact size and structure of Solar Spider are unknown. Public reporting doesn't agree on whether it's a single, organized group or a looser collection of actors all using the same JSOutProx toolkit. This ambiguity makes it tough to pin down just how many people are involved in their operations.

Leadership

Who's calling the shots? We don't know. No specific leaders or aliases have been publicly identified. Given the group's operational security and focus on financial crime, the leadership structure is likely kept under tight wraps to avoid drawing the wrong kind of attention from law enforcement.

Solar Spider TTPs

This group has a clear and effective playbook. They mix social engineering with custom tooling to bypass defenses and access sensitive financial systems.

Tactics

The primary goal is simple: money. Solar Spider's tactics are all geared toward financial fraud. This involves gaining initial access to a target's network, establishing persistent remote control, and then using that access to manipulate financial transactions or exfiltrate valuable data that can be monetized.

Techniques

How do they pull it off? Solar Spider relies heavily on fooling people. Their main techniques include:

  • Spearphishing: Crafting believable emails that trick employees into giving up credentials or running malicious code.

  • User Execution: Convincing a user to click on a malicious attachment or link, which kicks off the infection process.

Command and Control (C2): Using their JSOutProx RAT to maintain a connection with compromised machines, allowing them to send commands and pull data.

Procedures

Here's a look at their go-to moves:

  • Phishing Lures: They love faking payment notifications. Emails are often disguised as SWIFT messages or MoneyGram transfers to create a sense of urgency and legitimacy.

  • Malware Delivery: Payloads are often delivered as JavaScript files or ZIP archives. They've also been caught abusing developer platforms like GitLab to host their malicious code, making it look like a legitimate download.
  • Malware Execution: The attack chain typically involves a malicious JavaScript loader that executes .NET components, eventually deploying the full JSOutProx RAT. This modular RAT can load various plugins to steal data, execute commands, and maintain persistence.

Want to Shut Down Threats Before They Start?

Schedule a Demo Todayright arrow

Notable Cyberattacks

Solar Spider has been busy. Throughout 2024 and into 2025, security researchers have documented a steady stream of campaigns. A notable wave of attacks in early to mid-2024 saw a new and improved version of the JSOutProx RAT targeting banks in Saudi Arabia and other regions. These ongoing attacks show the group is actively refining its tools and expanding its reach.

Law Enforcement & Arrests

As of now, there have been no publicly announced arrests or law enforcement operations specifically targeting members of Solar Spider. Financially-motivated groups like this often operate across multiple jurisdictions, making attribution and prosecution a serious challenge.

How to Defend Against Solar Spider

1

Beef Up Email Security: Use advanced phishing filters and sandbox attachments and URLs. A little prevention here goes a long way.

2

Deploy Strong Endpoint Protection: You need an EDR solution that can spot the weird stuff, like JavaScript spawning .NET processes. Hunt for JSOutProx-related behaviors and artifacts.

3

Harden Your Tools: Monitor and restrict the use of public code repositories like GitLab for internal work. Alert on any suspicious activity from unknown accounts.

4

Lock Down Privileged Accounts: Enforce multi-factor authentication (MFA) everywhere you can. Apply the principle of least privilege, especially around accounts that can access payment and financial systems.

The Huntress Security Platform is built to stop threats like Solar Spider. Our Managed EDR, powered by a 24/7 Security Operation Center, detects the sneaky process anomalies and malicious scripts these actors rely on. We don't just send alerts; we investigate and provide the context you need to kick them out for good.

Schedule a Demo

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free