Share

• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

A stealthy new Windows Trojan steals saved passwords, session cookies, hardware and software information and other valuable items from the Google Chrome and Mozilla Firefox browsers and from Windows itself. 

The malware — dubbed Jupyter by its finders at Israeli security firm Morphisec — has been active since at least May 2020, but it escaped detection by most antivirus software until last week.

• The best antivirus software to keep your Windows polished
• 350,000 people exposed in Capcom data breach — what to do
• Plus: Nvidia RTX 3060 Ti performance just leaked — and AMD should be worried

That's partly because unlike most malware, Jupyter runs mostly in memory and leaves very little trace on a system's hard drive. Unfortunately, rebooting the machine doesn't get rid of the malware because it adds its setup routine to the Startup folder to reinstall itself when the machine boots.

Unlike many information stealers, Jupyter also has the ability to download and run additional software and creates a backdoor by which its operators — thought to be Russian cybercriminals — can remotely seize control of a Windows machine. (The name comes from an image of the planet, with the file name misspelled, used as the background of the malware's administrative panel.)

"Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020," state a Morphisec blog post and the full Morphisec report. "While many of the C2s [malware command-and-control servers] are no longer active, they consistently mapped to Russia when we were able to identify them."

This story was first reported by Danny Palmer at ZDNet.

How Jupyter infects your machine

Jupyter arrives in the form of an email attachment purporting to be a Microsoft Word or Excel document regarding routine workplace or academic matters. Morphisec discovered the malware while "assisting a higher-education customer [likely a college or university] in the U.S. with their incident response."

But the attachment is really a program of its own which opens a Windows PowerShell script that triggers a complex series of events that ends up installing at least two different information-stealing functions in system memory. 

One function collects information about the infected machine; the other steals passwords, login session cookies, autocomplete items and digital certificates from Chrome or Firefox. 

Session cookies are what keep you logged into an online service, such as Facebook or Twitter, semi-permanently until you actively log out. Many such cookies are valid for months or even year, and would give anyone who stole them access to your account if you were still logged in using the same cookie.

The crooks would have to make it seem like they were accessing the service from your machine, but they could do so by using the machine profile the first information-stealing function already grabbed.

How to avoid Jupyter infection

As of this writing, most of the best antivirus programs detect at least one of the dozen or so Jupyter components unearthed by Morphisec. 

You can also give Jupyter little to steal if you don't let your browser save your passwords — use one of the best password managers instead — and by logging out of online accounts when you've finished using them for the day. And, of course, you should scan email attachments with your antivirus program before opening them.

But since many of the malware's core functions depend on using administrative-level Windows tools, another way to avoid infection would be to conduct most of your daily Windows work in a limited-user account that doesn't have administration rights. 

If you're logged in as a limited user and a windows pops up requesting an administrative account's password when you're just opening a Word document or an Excel file, then you'll know something is fishy. Deny the request for the admin password and start a full-system malware scan immediately.