Researchers spot an increase in Jupyter infostealer infections

Infections involving the Jupyter infostealer have increased over the last two weeks, in particular targeting organizations in the education and healthcare sectors, researchers said Monday.

VMware’s Carbon Black Threat Analysis Unit published a report on Monday highlighting a wave of new incidents involving the malware, which was first seen in late 2020. It allows hackers to steal credentials and exfiltrate data.

“New Jupyter Infostealer variants continue to evolve with simple yet impactful changes to the techniques used by the malware author. This improvement aims to avoid detection and establishes persistence, enabling the attacker to stealthily compromise victims,” the researchers said.

“This malware continues to be one of the top ten infections we’ve detected in our clients’ network primarily targeting the Education and Health sectors.” The report does not mention specific victims.

The malware has evolved to target the Chrome, Edge, and Firefox browsers while the hackers using it have also exploited search engines to get people to download malicious files with the malware attached, Carbon Black said.

In the most recent incidents, the researchers found the infostealer posing as legitimately signed files, using “a valid certificate to further evade detection” and allow initial access to a victim machine.

Common delivery methods for the malware include “malicious websites, drive-by downloads, and phishing emails,” as well as “malicious ads,” they said.

The researchers shared samples of infected files, including generalized how-to documents as well as more specific files. One example was a copy of the U.S. government’s budget for 2024.

In another instance, Carbon Black saw hackers exploiting a signed Autodesk Create Installer. Autodesk is a popular remote desktop application frequently exploited in past cyberattacks.

The report does not attribute Jupyter to a specific hacking group, but past research by other companies has suggested Russia as a point of origin.

Hackers are constantly evolving their efforts to deliver powerful infostealing malware. Last week, cybersecurity researchers at Bitdefender uncovered a campaign that saw hackers use Facebook ads to distribute malware and hijack users' social media accounts.