Qubitstrike

Qubitstrike is a novel form of malware that has been targeting vulnerable Jupyter Notebook instances, as reported on October 19, 2023. The threat actors suspected to be behind this are believed to be based in Tunisia. These actors have been using Qubitstrike to facilitate cryptomining and cloud compromise. The attacks reportedly begin with a manual scan for exposed Jupyter Notebooks, followed by a CPU identification to evaluate the system's mining potential. The primary objective of Qubitstrike appears to be resource hijacking for the purpose of mining the XMRig cryptocurrency. The Qubitstrike scripts also install the open-source Diamorphine rootkit for Linux, which is used to hide the presence of any running scripts and malware payloads. This means that once Qubitstrike has infiltrated a system, it can operate undetected. The malware's advanced command-and-control (C2) infrastructure uses Discord’s bot functionality for issuing commands on compromised nodes or tracking the campaign’s progress. This highlights the sophistication of the malware and its capability to carry out various types of attacks after gaining access to vulnerable hosts. According to new research from Cado Security Labs, the Qubitstrike campaign payloads are hosted on codeberg.org, an alternative service to the Git hosting platform. Discord is used for command and control communications, providing further evidence of the advanced nature of this malware. The findings emphasize the need for robust cybersecurity measures, particularly in scientific computing environments like Jupyter Notebooks, which have been identified as key targets for Qubitstrike.