Panamorfi – Malware Campaign

Overview

In August 2024, researchers from Aqua Nautilus uncovered a novel Distributed Denial of Service (DDoS) campaign called Panamorfi. What makes this campaign particularly noteworthy is its use of an unconventional tool and attack vector, targeting Jupyter notebooks—a platform predominantly used by data scientists, engineers, and analysts. This marks a shift in the way threat actors approach DDoS attacks, as they typically rely on more traditional vectors such as botnets or large-scale web application exploits. Panamorfi is significant because it uses the Java-based mineping tool, a DDoS package originally designed for Minecraft servers, and is deployed through misconfigured Jupyter notebook instances.

Targets

Individuals

How they operate

The attack is initiated when a threat actor, identified by the username yawixooo, gains access to an exposed Jupyter notebook. Once inside the environment, the attacker downloads a zip file that contains two malicious JAR files. These files are largely undetected by conventional security tools, enabling the threat actor to bypass initial detection mechanisms. Once executed, the JAR files orchestrate the attack by using Discord as a control channel to communicate attack progress and results. This use of a popular communication platform for monitoring DDoS activity is a unique aspect of the campaign, reflecting the actor’s innovative approach to cybercrime.

The Panamorfi attack itself involves the mineping tool, which floods the target server with a high volume of TCP connection requests, overwhelming its resources and rendering the system unresponsive. The results of the attack are logged on Discord, allowing the threat actor to monitor the effectiveness of the DDoS in real-time. This method represents a shift away from traditional DDoS attack models by introducing elements of social media communication and using cloud-native tools in a more targeted, stealthy manner.

By exploiting the misconfiguration of widely-used platforms like Jupyter notebooks, the Panamorfi campaign highlights an emerging trend where attackers focus on overlooked or undersecured areas of the IT landscape. This campaign underscores the importance of securing not just the obvious attack vectors but also the less frequently protected environments, like cloud-based notebooks, which are increasingly integral to modern data workflows. As such, the Panamorfi DDoS campaign serves as a warning that threat actors are evolving their tactics to exploit misconfigurations and new attack surfaces, demanding an increased focus on holistic security practices.

Reference: 

• Panamorfi: A New Discord DDoS Campaign