Aqua Nautilus researchers have identified a new malware campaign, Sobolan, which specifically targets interactive computing environments like Jupyter Notebooks, posing a significant risk to cloud-native infrastructure. The attack follows a multi-stage approach, starting with the exploitation of unauthenticated JupyterLab instances. Attackers download a compressed archive containing malicious binaries and shell scripts, which execute cryptominers and establish persistent backdoors.

To maintain persistence, Sobolan modifies the ~/.bashrc file to display a fake login prompt requiring a hardcoded password, creates cron jobs for continuous execution, and runs various scripts to control system resources. The malware deploys binaries such as pythonlol and sobolan for cryptomining while the noob script prevents detection by terminating high-CPU processes. The run binary inspects SSH credentials and triggers apachelogs, which removes competing cryptominers and executes the syst3md cryptominer.

This attack underscores the vulnerabilities of cloud-native environments and the importance of strong authentication, regular software updates, and runtime security solutions to detect and prevent such threats.

‍