In a new fileless attack called PyLoose, a cryptocurrency miner is delivered to cloud workloads. The attack, which was first detected in June 2023, is notable for its use of Python to load the miner directly into memory, bypassing traditional security controls.

How the Attack Works

The PyLoose attack begins with the attacker exploiting a publicly accessible Jupyter Notebook service to execute malicious Python code. The code then retrieves a compressed and encoded precompiled XMRig miner from a remote server and loads it directly into memory using the memfd memory file descriptor.

The memfd file descriptor is a Linux-specific feature that allows for the creation of files in memory. This means that the XMRig miner is never written to disk, making it very difficult to detect.

The Impact of the Attack

The PyLoose attack can have a significant impact on cloud workloads. The cryptocurrency miner will consume CPU resources, which can lead to performance degradation and even downtime. In addition, the attacker can use the miner to collect sensitive data from the victim’s system.

How to Protect Yourself

There are a number of steps that can be taken to protect against the PyLoose attack. These include:

  • Keeping your Jupyter Notebook service up to date with the latest security patches.
  • Using a firewall to block unauthorized access to your Jupyter Notebook service.
  • Using a malware scanner to detect and remove malicious Python code.
  • Monitoring your cloud workloads for signs of cryptocurrency mining activity.


The PyLoose attack is a new and sophisticated threat that can have a significant impact on cloud workloads. By following the steps outlined above, you can help to protect your systems from this attack.