Qubitstrike is a cryptojacking campaing targeting exposed Jupyter Notebooks, as they may allow to execute commands remotely. After obtaining a shell on the remote host, the shell script executes a cryptocurrency miner and establishes persistence using a cron job that inserts a key to .ssh/authorized_keys file.
In addition, the malware is also capable of retrieving and installing the Diamorphine rootkit to conceal malicious processes and transmitting captured AWS and Google cloud credentials back to the threat actor through Telegram bot API. The payloads for this campaign are all hosted on ‘codeberg.org’. A closer examination of the repository has also revealed a python implant that’s engineered to be executed on infected hosts, with Discord acting as C2 mechanism.
The origin of the threat actor remain unclear, although evidence points to it likely being Tunisia owning to the IP address used to login to the cloud honeypot using the stolen credentials.