When malware attacks like Sobolan are detected, Aqua helps security teams thoroughly analyze and mitigate these threats. Whether it is threat hunting in cloud environments or following an alert, the Aqua Hub provides logs and captured artifacts so you can see how Sobolan gained access, what processes it ran, and how it attempted to persist. This gives incident response teams the context they need to understand the breach.
In addition to investigation, Aqua Runtime Protection monitors workloads in real time and enforces policies that block Sobolan techniques such as cryptominer execution, fileless scripts, and backdoor creation. This makes it possible to stop the malware as it runs while still collecting the evidence needed for a full investigation.
Step-by-Step Guide
1 – Create a Response Policy
Log in to the Aqua console and go to Aqua Hub > Response Policies. Click New Policy.
2 – Define Basic Data
Name the policy and give it a brief description.
3 – Select Application Scope
Select one or multiple application scope(s).
4 – Select a Trigger
Select the type of event you want to track: Issues, Scan Results, or Incidents.
5 – Select Action
Choose where alerts should go, like Slack or email, pick the format (HTML or JSON), and add additional outputs if needed. Save the policy when done.
Define the Sobolan Malware Response Policy.
In the response policy, set Incidents as the alert trigger
The Security Gap Leaving Organizations Exposed
In practice, this means organizations often entrust their most valuable asset, data, to practitioners who know very little about security. It is no surprise we see so many vulnerable or misconfigured data applications exposed online, leaking secrets and sensitive information.
Modern AI architectures add even more complexity.
They often include components that connect to highly sensitive environments. To deliver more accurate and timely results, AI applications rely on tools such as RAG (Retrieval Augmented Generation), which can tap into organizational data. MCP (Model Context Protocol) applications go further, connecting to file storage, databases, and other environments. All of this is typically supported by API access, which expands the attack surface and creates new entry points into the organization.
This is how an advanced attacker like Sobolan can exploit that initial access: taking over a server, hiding its activity, profiting through cryptomining, and paving the way for broader attacks.
For more detailed information about the Sobolan Malware, read our blog
Stopping Sobolan Malware with Aqua Runtime Protection
Don’t wait for an attack to reveal the gaps
Contact your Aqua Sales Representative or Customer Success Manager today to learn how
Aqua runtime security helps to protect against real-world malware like Sobolan
