There are indicators and evidence suggesting that Russian language speakers created Solarmarker, or the creators at least designed it to look that way. Static and dynamic analysis of Solarmarker's droppers revealed attributes in the executables' resource section that indicate the files were created on a system with Russian language support. The keylogging module's name, "Uran," is a transliteration of the Russian word for Uranus, "Уран," and Russian was listed as a targeted language in the module itself. The name of the browser credential and information stealer, "Jupyter," could also be an attempted transliteration or translation of the Russian equivalent for Jupiter, "Юпитер," albeit an odd one. A more commonly accepted transliteration for a native Russian speaker would be "Yupiter." The names for the "Mars" module and its class object "Deimos" work both as direct English words and possible transliterations of their Russian equivalents, "Марс" and "Деймос."

Security researchers from Morphisec, in their analysis of the Jupyter module, also pointed out similar indicators of the actor potentially being Russia-based, such as possibly misspelling the English "Jupiter" and the hardcoded IP addresses being hosted on "SELECTEL," a Russian ASN, which was also true for IP addresses found in other modules and Solarmarker variants during earlier stages of the campaign.