Stopping Sobolan Malware with Aqua Runtime Protection
Essential information
- Published
- 12/03/2025 11:48
- Modified
- 12/03/2025 11:55
- Tags
- 2025-03-12 cloud-native cryptomining evasion jupyter notebooks persistence runtime protection sobolan
- Related entities
- 9 observables, 12 techniques (mitre), 1 malware
Description
A new attack campaign targeting interactive computing environments like Jupyter Notebooks has been discovered. The attack involves downloading a compressed file from a remote server, which, when executed, deploys multiple malicious tools to exploit the server and establish persistence. The campaign poses a significant risk to cloud-native environments by enabling unauthorized access and long-term control over compromised systems. The attack flow includes initial access through an unauthenticated JupyterLab instance, downloading and extracting malicious files, executing scripts to launch additional binaries, and establishing persistence while evading detection. The malware deploys cryptominers and attempts to kill competing processes. Runtime protection solutions can effectively detect, block, and mitigate these threats using real-time threat intelligence, malware scanning, and customizable policies.