Cryptojacking Malware Campaign Targeting Jupyter to Steal Credentials & Access Cloud Services

Cado Security has discovered a new cryptojacking campaign targeting exposed Jupyter Notebooks, commonly deployed in cloud environments, with providers such as Google and AWS offering them as managed services. This campaign is particularly “cloud-y” – not only is it targeting Jupyter, but the malware developer is deliberately trying to steal cloud credentials. Cado even saw attempts to use these credentials to access cloud services.

The payloads for the campaign are all hosted on, providing much of the same functionality as Github – the first time Cado researchers have encountered this platform in an active malware campaign. The malware includes relatively sophisticated command and control (C2) infrastructure, with the controller using Discord’s bot functionality to issue commands on compromised nodes and monitor the campaign’s progress.

Qubitstrike (the name given to malware by the developer) attackers specifically seek Cloud Service Provider (CSP) credentials. Cado observed attempts by the attackers to utilize stolen CSP credentials for further exploitation.

You can read the report here.

Leave a Reply

%d bloggers like this: