PyLoose Targets Cloud Workloads

Estimated read time 2 min read

Researchers from have recently discovered a new fileless attack targeting cloud workloads, named PyLoose.

The Attack Unveiled

The attack was first detected by Wiz’s Runtime Sensor on June 22, 2023. The attacker gained access to a publicly accessible Jupyter Notebook service, which failed to restrict the execution of system commands. The PyLoose payload was then downloaded from a Pastebin-equivalent website into the Python runtime’s memory, avoiding saving the file to the disk.

PyLoose Code snippit | Made by
PyLoose Code snippit | Made by

The Python script, which is only 9 lines long, holds a compressed and encoded precompiled XMRig miner. It decodes, decompresses, and loads the XMRig miner directly into memory via the memory file descriptor, memfd. The miner then connects to the remote MoneroOcean mining pool. explaining the PyLoose Attack

Why Fileless Attacks?

Fileless attacks are more evasive than traditional attacks as they do not rely on writing payloads to disk. They are harder to detect and investigate, and are less common, making them a preferred choice for sophisticated threat actors.

Mitigation Steps

To prevent attacks like PyLoose, recommends avoiding publicly exposing services like Jupyter Notebook, using complex passwords or centrally managed identity platforms with strong authentication methods, and constraining the execution of system commands.

For more details, you can read the full report by Avigayil Mechtinger, Oren Ofer, and Itamar Gilad on

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author