Threat Actors Hijack Misconfigured Servers for Live Sports Streaming

Aqua Nautilus researchers used honeypots and runtime forensics (Aqua Tracee and Traceeshark) to uncover threat actors exploiting unauthenticated, internet-exposed JupyterLab/Notebook instances to install and run ffmpeg, capture live sports feeds, and re-stream them to external platforms for illicit monetization. The report documents the attack flow, captured commands and artifacts (including an ffmpeg MD5 and attacker IPs), maps techniques to MITRE ATT&CK, and provides detection and mitigation recommendations for securing Jupyter deployments.