Stopping Sobolan Malware with Aqua Runtime Protection

Aqua Nautilus discovered the Sobolan campaign exploiting unauthenticated Jupyter-like notebook environments: attackers download a tar from 167.172.154.218 that deploys 13 malicious files (shell scripts and binaries) under /var/tmp to establish persistence, run cryptominers (syst3md, sobolan, pythonlol), kill competing processes, and attempt stealthy communications; Aqua Runtime Protection detected and blocked many events and provides IOCs (IP addresses and MD5 hashes) and mitigation recommendations.