SolarisLoader Malware Analysis: Attack Chain & IOCs

PhishFort Team
PhishFort Team
6 min read
SolarisLoader Malware Analysis: Attack Chain & IOCs

The SolarisLoader malware loader has an aggressive approach to antivirus: instead of trying to evade it, it tries to kill it. Rather than obfuscating its code to slip past detection, SolarisLoader exploits a vulnerable Safetica endpoint protection driver (CVE-2026-0828) to gain kernel-level access, then forces Windows Defender and third-party antivirus processes to terminate outright. From there, it patches AMSI and ETW to blind Windows’ own telemetry, blocks over 55 security domains in the system’s hosts file, and installs a three-layer persistence mechanism before checking in with its command-and-control server.

SolarisLoader Malware

But SolarisLoader does not steal data itself. It’s a delivery vehicle for second-stage payloads: StealC, REMCOS RAT, and Amadey have all been observed as follow-on infections. The primary distribution vector is fake software installers, typically bundled with cracked versions of paid software and games.

This breakdown draws on original research from the Spamhaus Cyber Threat Intelligence Unit, shared with PhishFort through our ongoing intelligence-sharing partnership. PhishFort and Spamhaus collaborate directly on threat research because no single vendor sees the full picture. Combining visibility into malicious infrastructure with deep malware analysis produces faster, more actionable defender guidance than either team working in isolation.

Why Fake Installers Remain an Effective Delivery Vector

Users searching for pirated software have already decided to bypass a legitimate source, which lowers their guard against the installer itself. SolarisLoader operators exploit that mindset directly: the malware installs silently in the background, then the actual pirated software installs on top of it, so the user sees the outcome they were expecting and has no reason to suspect anything went wrong.

This is a distribution pattern PhishFort’s takedown teams see constantly outside the malware-loader context too: fake download sites and cracked software portals are a recurring vector in brand impersonation cases, because they let threat actors piggyback on legitimate software brands to reach victims who are actively looking to download something.

The Attack Chain

SolarisLoader Malware the attack chain

1. Defense Evasion: Killing Security Processes at the Kernel Level

SolarisLoader first bypasses Windows User Account Control (UAC) to escalate to administrative privileges. It then loads a legitimate but vulnerable Safetica endpoint protection driver and exploits CVE-2026-0828 to gain kernel-level access, a bring-your-own-vulnerable-driver (BYOVD) technique that gives the malware the same system privileges as the security software it’s attacking.

With kernel access secured, SolarisLoader force-kills Windows Defender directly and explicitly targets third-party antivirus products, including Avast, AVG, 360 Total Security, and ReasonLabs (RAV), clearing the way for malicious second-stage payloads.

2. Blinding Telemetry: Patching AMSI and ETW

Killing the antivirus process isn’t sufficient on its own, since Windows’ built-in security monitoring can still flag suspicious behavior independently. SolarisLoader addresses this by patching the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) in memory, which prevents the operating system from logging or reporting the malicious activity as it happens.

Killing antivirus removes the response layer, and patching AMSI/ETW removes the detection layer underneath it. A system can be fully compromised while its own security stack reports nothing unusual.

3. Network Isolation: Hosts File Tampering

To prevent the infected machine from receiving updates or reporting telemetry, SolarisLoader modifies the Windows hosts file, appending a hardcoded list of more than 55 domains and routing them to 0.0.0.0. The blocklist targets Microsoft update servers, Defender telemetry endpoints, and certificate validation services, cutting the machine’s security infrastructure off from any external source that might flag or remediate the infection.

4. Persistence: A Three-Layer Foothold

SolarisLoader is built to survive standard cleanup attempts through three independent mechanisms:

  • Scheduled tasks disguised as “Windows Security Checks” or “Windows Update Assistant,” depending on whether the malware achieved admin privileges.
  • Registry backups: an encrypted copy of the malware hidden in the registry under the ICtrlData value.
  • A watchdog process that continuously monitors the registry foothold and automatically restores it if a user or security tool deletes it.

Removing one layer isn’t enough. Effective remediation requires addressing the scheduled task, the registry backup, and the watchdog process in the same cleanup pass, or the infection reappears.

Once persistence is secured, SolarisLoader connects to its command-and-control server and waits for instructions to download and execute follow-on payloads.

Indicators of Compromise

CategoryIndicator
File path%TEMP%\EmbeddedDriverService.sys (abused Safetica driver)
File path%APPDATA%\Microsoft\Windows\Services\winhost.exe (malware masquerading as a Windows service)
RegistryHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced: check ICtrlData and ICtrlPath for unexpected binary data
Scheduled task“Windows Security Checks” (admin path) or “Windows Update Assistant” (standard-user path)
Hosts file%WINDIR%\System32\drivers\etc\hosts: unauthorized redirects of domains like winatp-gw-usmt.microsoft.com and crl.microsoft.com to 0.0.0.0
Defender exclusionsSOFTWARE\Microsoft\Windows Defender\Exclusions\Paths: unauthorized entries for %TEMP%, %APPDATA%, %LOCALAPPDATA%
PDB path (memory/binary)C:\Users\vboxuser\Desktop\BypassUAC-master\WinDefenderKiller-main\CombinedWindowsDefKiller\x64\Release\CombinedWindowsDefKiller.pdb

What Defenders Should Do Now

Check the hosts file and Defender exclusion list first. Both are fast to inspect and, unlike process monitoring, don’t depend on AV or EDR still being alive to catch. If either shows the patterns above, treat the endpoint as compromised even if the antivirus reports a clean scan, since a clean scan from a killed or blinded AV process is not a trustworthy signal on this threat.

Block driver loading from unsigned or unexpected paths where policy allows it. The entire attack chain depends on successfully loading the vulnerable Safetica driver. Organizations running Safetica should confirm they’re on a patched version and monitor for CVE-2026-0828 exploitation attempts specifically.

Because the primary vector is fake software installers, the most effective control is upstream of the endpoint: restricting execution of unsigned installers from non-corporate sources and blocking known cracked software and piracy domains at the network layer.

Spamhaus researchers have tracked 10 distinct SolarisLoader versions to date, indicating active, ongoing development rather than a one-off tool. Expect IOCs, particularly file paths and hosts file entries, to shift across future versions; the driver-exploitation and three-layer persistence techniques are the more durable signal to hunt for.

What is SolarisLoader? SolarisLoader is a malware loader. Its purpose is to gain a foothold on a system and disable its security tools, then download and execute secondary malware like StealC, REMCOS RAT, or Amadey. It doesn’t steal data itself, but clears the way for payloads that do.

How does SolarisLoader disable antivirus software? It bypasses Windows UAC to gain admin rights, then exploits a vulnerable Safetica driver (CVE-2026-0828) to reach kernel-level access. From there it force-kills Windows Defender and targets Avast, AVG, 360 Total Security, and ReasonLabs directly.

How is SolarisLoader distributed? Primarily through fake software installers bundled with pirated/cracked software and games. The malware installs silently, then the pirated software installs on top of it to avoid raising suspicion.

How can I tell if a system is infected with SolarisLoader? Check the Windows hosts file for unauthorized redirects of Microsoft security and telemetry domains to 0.0.0.0, review Defender exclusion paths for unauthorized additions, and look for scheduled tasks named “Windows Security Checks” or “Windows Update Assistant.” Full IOCs are listed above.

Is a clean antivirus scan reliable if SolarisLoader is present? No. SolarisLoader patches AMSI and ETW specifically to prevent Windows from logging or reporting malicious activity, and it may have already terminated the antivirus process itself. A clean scan result on a system showing other IOCs should not be trusted on its own.


PhishFort helps security teams identify and act on impersonation and malicious infrastructure before it reaches employees or customers, including the fake-installer and cracked-software domains threats like SolarisLoader rely on for distribution. See how PhishFort’s AI-native phishing detection identifies malicious distribution infrastructure →


Related reading: For more on the malware ecosystem SolarisLoader feeds into, see our breakdown of: