SolarisLoader is a modular malware loader first documented in mid-2024 that serves as a delivery mechanism for secondary payloads on Windows systems. Unlike older loaders that relied on brute-force obfuscation, this threat employs sophisticated evasion techniques to bypass endpoint detection systems and establish persistence before downloading additional malicious components. Security researchers have tracked multiple distribution campaigns targeting both home users and small business networks, with infections often leading to information stealers, banking trojans, or ransomware deployment within hours of the initial compromise.

SolarisLoader — cybersecurity illustration
Photo by Lucas Andrade on Pexels

The malware's name references its modular architecture—multiple interchangeable components working together like a coordinated system. What makes SolarisLoader particularly concerning for everyday computer users is its ability to remain dormant for extended periods, quietly gathering system information and communicating with command-and-control servers while appearing as legitimate Windows processes in Task Manager.

Think you're infected right now? Disconnect from the internet immediately (unplug the ethernet cable or disable WiFi). Do not attempt to log into banking, email, or other sensitive accounts from the infected machine. Call Computer Repair Roswell at (770) 954-1957 for same-day malware removal. Our technicians can isolate the threat before secondary payloads execute or credentials get harvested.

Threat Profile

Attribute Details
Threat Name SolarisLoader
Classification Loader / Dropper
Target Platform Windows (all supported versions)
File Type Windows PE Executable (.exe)
First Documented Mid-2024
Distribution Method Malspam attachments, fake software installers, exploit kits
Primary Objective Establish persistence, download secondary malware
Severity Rating High (gateway to ransomware/stealers)
Detection Names Trojan.Loader.SolarisLoader, W32/Loader.Gen, Mal/Generic-S
Typical File Size 200 KB – 800 KB (varies by campaign)
Network Communication HTTPS to C2 servers, often mimicking legitimate traffic
Persistence Mechanism Registry Run keys, scheduled tasks, COM hijacking

How It Spreads

SolarisLoader reaches victims through carefully orchestrated social engineering campaigns that exploit human psychology rather than software vulnerabilities. The most common infection vector involves email attachments disguised as invoices, shipping notifications, or financial documents from seemingly legitimate businesses. These emails often use stolen corporate branding and convincing language that creates urgency—"Your payment is overdue," "Package delivery failed," or "Account security alert." The attached file might appear as a PDF or Word document but actually contains an executable file with a double extension (like "Invoice_2024.pdf.exe") that Windows hides by default.

Another significant distribution method involves compromised or malicious websites offering "cracked" software, game cheats, or pirated media. Users searching for free versions of expensive applications encounter download sites that bundle SolarisLoader with the promised software. The installer looks legitimate, complete with professional graphics and license agreements, but silently drops the loader payload alongside the desired program. Even some previously trustworthy download repositories have been compromised to serve infected installers to unsuspecting visitors.

Common infection pathways include:

  • Malicious email attachments – ZIP archives containing executable files, weaponized Office documents with malicious macros, or HTML attachments that redirect to download sites
  • Fake software installers – Bundled with pirated applications, system utilities, or media codecs advertised on sketchy download portals
  • Compromised websites – Drive-by downloads from hacked legitimate sites, especially smaller business websites with outdated CMS platforms
  • Malvertising campaigns – Poisoned advertisements on otherwise legitimate websites that redirect to exploit kits or fake download pages
  • Software supply chain attacks – Rare but documented cases where legitimate software update mechanisms were temporarily compromised
  • Remote Desktop Protocol (RDP) brute-forcing – Targeting small businesses with exposed RDP ports and weak passwords

What It Does On Your Machine

Once executed, SolarisLoader immediately begins reconnaissance to profile the infected system and determine whether it's running in a genuine user environment or a security researcher's analysis sandbox. The malware checks for virtualization artifacts, debugging tools, and monitoring software—if it detects analysis tools, it may terminate itself or execute decoy behaviors to waste researchers' time. On real user systems, it proceeds to establish multiple persistence mechanisms ensuring it survives reboots and maintains control even if one foothold is discovered and removed.

The loader creates several registry entries to ensure it launches automatically at system startup, typically adding values to the Windows Run keys that most users never examine. It may also install itself as a scheduled task that executes at specific intervals or system events, and in more sophisticated variants, it hijacks legitimate Windows services by injecting code into trusted processes like svchost.exe or explorer.exe. This process injection technique makes the malicious activity appear to originate from legitimate system components, bypassing basic security monitoring.

After securing persistence, SolarisLoader contacts its command-and-control infrastructure to register the new victim and await instructions. These communications typically occur over HTTPS connections to servers that change frequently, making network-based detection difficult. The C2 server responds with configuration data and URLs for downloading secondary payloads—information stealers that harvest browser credentials, banking trojans that intercept financial transactions, or ransomware that encrypts files for extortion. The modular design means different victims receive different payloads based on factors like geographic location, detected software, or specific campaign objectives.

Typical system artifacts (observed in sandbox analysis): C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\SystemData\svchost.exe // Masquerading as legitimate Windows service C:\Users\[Username]\AppData\Local\Temp\~DF4231.tmp // Temporary extraction location during initial execution HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSystemService = "C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\SystemData\svchost.exe" // Persistence registry key for autostart HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks // Scheduled task entries for periodic execution Network connections observed: HTTPS connections to rotating C2 domains // Often using legitimate-looking domain names and CDN infrastructure DNS queries for dynamically generated domain names // DGA (Domain Generation Algorithm) for backup C2 channels

SolarisLoader also modifies Windows security settings to reduce its detection risk, potentially disabling Windows Defender real-time protection, adding exclusions for its file paths, or manipulating User Account Control (UAC) settings. Some variants have been observed clearing Windows Event Logs related to security and system events, erasing evidence of their installation and making forensic investigation more difficult for both users and IT professionals.

Manual Removal — Step by Step

01

Disconnect from the Internet

Immediately unplug your ethernet cable or turn off WiFi to prevent SolarisLoader from downloading additional payloads or communicating with its command servers. This containment step is critical—many loaders continue fetching malware even while you're attempting removal. Work offline for all subsequent steps until you've verified the infection is completely eliminated.

02

Boot into Safe Mode with Networking

Restart your computer and press F8 repeatedly during boot (or use the Windows advanced startup options). Select "Safe Mode with Networking" from the menu. This loads Windows with minimal drivers and services, preventing most malware from launching automatically. Safe Mode also makes it easier to delete malicious files that might be locked by running processes. The "with Networking" option allows you to download removal tools if needed.

03

Check and Remove Suspicious Startup Programs

Press Windows+R, type msconfig, and hit Enter. Navigate to the "Startup" tab (Windows 7) or click "Open Task Manager" (Windows 8/10/11). Look for unfamiliar entries, especially those with suspicious paths in AppData folders or generic names like "WindowsSystemService" or "SystemUpdate". Uncheck or disable these items. Also run taskschd.msc to review scheduled tasks—SolarisLoader often creates tasks with innocuous names that execute at specific intervals.

04

Examine Registry Run Keys

Press Windows+R, type regedit, and navigate to these locations: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to executables in suspicious locations (especially AppData folders with system-sounding names). Right-click and delete any entries you don't recognize. Be cautious—only remove items you're certain are malicious, as legitimate software also uses these keys.

05

Delete Malicious Files

Navigate to the file paths identified in previous steps (typically in C:\Users\[YourName]\AppData\Roaming or AppData\Local). Show hidden files by opening File Explorer options and checking "Show hidden files, folders, and drives". Delete the malicious executable and any associated folders. Empty the Recycle Bin afterward. If Windows prevents deletion, use a tool like Unlocker or restart in Safe Mode again.

06

Run Multiple Antimalware Scanners

Download and run at least two reputable on-demand scanners: Malwarebytes (free version works) and Kaspersky Virus Removal Tool or similar. Run full system scans with both—different engines detect different variants, and SolarisLoader's modular nature means a single scanner might miss components. Allow the tools to quarantine or delete all detected threats. Restart between scans if prompted.

07

Reset Browsers and Check Extensions

SolarisLoader sometimes installs malicious browser extensions or modifies browser settings to maintain persistence or enable secondary payloads. Open each browser's settings, navigate to extensions/add-ons, and remove anything unfamiliar. Consider resetting browsers to default settings (this removes extensions and clears data but preserves bookmarks). Check your browser's home page and search engine settings for unauthorized changes.

08

Check for Rootkit Components

Some SolarisLoader variants install rootkit-level components that hide from normal scanning tools. Download and run GMER, TDSSKiller (from Kaspersky), or similar rootkit scanners. These tools detect kernel-level malware that manipulates the operating system to remain invisible. Follow prompts to remove any detected rootkit components, then restart.

09

Verify Windows System Files

Open Command Prompt as Administrator and run sfc /scannow to check for corrupted system files. SolarisLoader may have modified legitimate Windows components. The System File Checker will replace any corrupted files with clean versions from your Windows installation. This process takes 15-30 minutes. Follow up with DISM /Online /Cleanup-Image /RestoreHealth if errors are found.

10

Change All Important Passwords

After confirming the malware is removed, change passwords for email, banking, shopping sites, and any other sensitive accounts—but do this from a different, clean device if possible. SolarisLoader often downloads credential stealers that may have captured your login information before removal. Enable two-factor authentication (2FA) on all accounts that support it. Monitor your bank statements and credit reports for unusual activity over the next few months.

Prevention

  1. Maintain updated antivirus software with real-time protection enabled – Windows Defender is adequate for most users if kept current, but consider supplementing with behavior-based detection tools like Malwarebytes Premium for layered defense. Schedule weekly scans and don't dismiss security alerts without investigation.
  2. Keep Windows and all software fully patched – Enable automatic updates for Windows, browsers, and commonly exploited applications like Adobe Reader and Java. Most malware exploits known vulnerabilities that have available patches. Set aside time monthly to update software that doesn't auto-update.
  3. Exercise extreme caution with email attachments and links – Never open attachments from unexpected senders, even if they appear legitimate. Hover over links to preview the actual destination URL before clicking. When in doubt, contact the supposed sender through a separate communication channel to verify authenticity. Be especially suspicious of urgent requests.
  4. Download software only from official sources – Avoid third-party download sites, torrent repositories, and "crack" sites entirely. These are the primary distribution channels for bundled malware. If you need free software, download directly from the developer's official website or use reputable platforms like Microsoft Store for Windows applications.
  5. Enable "Show file extensions" in Windows Explorer – This simple setting change reveals files like "document.pdf.exe" for what they truly are—executables masquerading as documents. In File Explorer, go to View > Options > View tab, and uncheck "Hide extensions for known file types." This defeats one of the oldest malware tricks in the book.
  6. Implement the principle of least privilege – Use a standard user account for daily activities rather than an administrator account. This limits malware's ability to make system-wide changes, install services, or modify protected areas of Windows. Create a separate admin account for software installation and system maintenance tasks only.
  7. Back up important files regularly to offline storage – Maintain copies of critical documents, photos, and data on an external hard drive that's disconnected when not in use, or use a cloud backup service with versioning capability. Since loaders often deliver ransomware, having recent backups means you won't be forced to pay extortion demands if encryption occurs.
  8. Consider additional network security measures – For small businesses, implement a hardware firewall that filters malicious domains and blocks known C2 servers. Use DNS filtering services like Cloudflare's 1.1.1.1 for Families or OpenDNS that prevent connections to malicious domains. These layers catch threats that slip past endpoint protection.
Our 90-Day Warranty Promise: When Computer Repair Roswell removes malware from your system, we guarantee it stays gone. Our comprehensive removal process includes rootkit scanning, registry cleaning, browser remediation, and full system verification. If the same malware returns within 90 days through no fault of your own, we'll remove it again at no charge. We also provide a written report of everything we found and fixed, plus personalized recommendations to prevent reinfection.

Bring It In

Manual removal of SolarisLoader and its potential secondary payloads requires technical expertise and specialized tools that most computer users don't have on hand. One missed registry key or hidden scheduled task means the malware reactivates after you think it's gone, potentially leading to identity theft, financial fraud, or a full ransomware encryption days or weeks later. The DIY approach also carries the risk of accidentally deleting critical system files or making configuration changes that create new problems.

Computer Repair Roswell specializes in complete malware eradication using professional-grade tools and techniques developed over years of handling real-world infections. We'll thoroughly scan for rootkits, credential stealers, and any other malware that came along with the loader. Our service includes system hardening recommendations specific to your situation, password security guidance, and a verification process that confirms your system is truly clean before we return it. We're located in Roswell, Georgia, offer same-day service for urgent cases, and provide straightforward pricing with no surprises. Call us at (770) 954-1957 or stop by our shop—we'll get your computer safe and secure again, backed by our 90-day warranty.