Cado Security Labs has identified a sophisticated cryptomining campaign exploiting misconfigured Jupyter Notebooks, targeting both Windows and Linux systems.
The attack utilizes multiple stages of obfuscation, including encrypted payloads and COM object manipulation, to ultimately deploy miners for various cryptocurrencies including Monero, Ravencoin, and several others.
This previously unreported exploitation method demonstrates how threat actors continue to evolve their tactics to monetize vulnerable cloud infrastructure, potentially causing degraded system performance, increased operational costs, and security risks for affected organizations.
.png
)
Sophisticated Multi-Stage Attack Methodology
The attack begins when threat actors access misconfigured Jupyter Notebooks, interactive Python development environments commonly used by data scientists.
Upon gaining access, the attackers attempt to retrieve and execute a bash script and Microsoft Installer (MSI) file.
On Windows systems, the MSI file executes a 64-bit executable named “Binary.freedllbinary,” which serves as the initial loader.
This loader creates a secondary payload called “java.exe” stored in the C:\ProgramData directory, using Component Object Model (COM) objects to facilitate the operation.
Despite its name suggesting legitimate Java software, this executable is actually malware packed with UPX to evade detection.
The Windows payload retrieves an encrypted blob named “x2.dat” from various repositories including GitHub, Launchpad, or Gitee (a Chinese GitHub alternative).
This data is encrypted using the ChaCha20 algorithm with specific nonce and key values, then compressed with zlib.
After decryption and decompression, the resulting binary reveals its true purpose: a cryptominer targeting multiple cryptocurrencies including Monero, Sumokoin, ArQma, Graft, Ravencoin, Wownero, Zephyr, Townforge, and YadaCoin.
The threat actors implemented this multi-layered approach specifically to bypass security controls and maintain persistence on compromised systems.
Cross-Platform Capabilities and Infrastructure
The campaign demonstrates sophisticated cross-platform capabilities, with distinct attack vectors for Linux environments.
If the initial MSI execution fails, the attackers attempt to retrieve and run “0217.js,” a bash backdoor that downloads two ELF binaries—”0218.elf” and “0218.full”—from a remote server.
The script renames these files using timestamp-based naming conventions, places them in system directories like /etc/, /tmp/, or /var/tmp/, and establishes persistence through crontab entries scheduled to execute every 10 to 40 minutes.
This ensures the malware remains active even after system restarts or initial removal attempts.
Similar to its Windows counterpart, the Linux version of the malware (“0218.elf”) searches for a lock file named “cpudcmcb.lock” across various system paths to prevent concurrent execution of multiple instances.
It then retrieves an encrypted payload “lx.dat” from several potential sources, decrypts it using ChaCha20 with a specific nonce and key, and decompresses it with zlib.
The final payload is another ELF binary that functions as a cryptominer targeting the same cryptocurrencies as the Windows variant.
Interestingly, researchers noted that “0218.full” appears to be identical to the final cryptominer payload, though the reasons for deploying two versions of the same mining software remain unclear.
Both variants connect to mining pools including C3.wptask.cyou, Sky.wptask.cyou, and auto.skypool.xyz, with transactions linked to a specific wallet ID.
Connections to Other Campaigns and Security Recommendations
During their investigation, Cado Security Labs uncovered a parallel campaign targeting PHP servers using the same infrastructure.
This campaign utilizes a PHP script (“1.php”) hosted on the same remote server that checks whether the target is running Windows or Linux, then downloads the appropriate binary—”php0218.exe” for Windows or “php0218.elf” for Linux.
Analysis confirmed that these are identical to the binaries used in the Jupyter Notebook campaign, indicating a broader operation by the same threat actors.
The researchers also noted similarities to previous campaigns, including a January 2024 attack against Ivanti Connect Secure and a June 2024 campaign targeting unpatched Korean web servers, both using similar tactics, techniques, and procedures (TTPs).
Security experts emphasize that exposed cloud services continue to be prime targets for cryptominers and other malicious actors.
The sophisticated nature of this campaign—with its multi-stage execution, cross-platform capability, and obfuscation techniques—highlights the evolving threat landscape.
To mitigate these risks, organizations should implement strong authentication mechanisms for all cloud services, disable public access to development environments like Jupyter Notebooks, and regularly monitor system performance and network connections for unusual activity.
Additional protective measures include implementing strict network restrictions, configuring auto-shutdown policies for idle instances, and utilizing cloud provider security tools to detect unauthorized access attempts.
The discovery of this cryptomining campaign targeting Jupyter Notebooks reveals how threat actors continue to innovate in their approaches to compromising cloud resources for financial gain.
By exploiting misconfigured services and implementing sophisticated multi-stage attacks with cross-platform capabilities, these operations can remain undetected while consuming computational resources and potentially creating security vulnerabilities.
Organizations must maintain continuous vigilance through regular security audits, employ proactive security measures including proper configuration management, and educate users about the importance of securing development environments.
As cloud adoption continues to accelerate, understanding and addressing these emerging threats becomes increasingly critical for maintaining operational security and performance across digital infrastructure.
Are you from SOC/DFIR Teams?: Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
