Do Son 
Cybersecurity experts have uncovered a new wave of covert cryptocurrency mining attacks targeting publicly accessible DevOps servers. The campaign primarily focuses on services such as Docker, Gitea, and HashiCorp’s Consul and Nomad—platforms widely used for infrastructure automation and management.
According to researchers at Wiz, who are tracking the activity under the designation JINX-0132, the attackers are exploiting both known vulnerabilities and misconfigurations to deploy malicious mining software.
What sets this campaign apart is the first recorded use of misconfigured Nomad instances as an initial attack vector. Unlike traditional methods, the attackers are retrieving their tools directly from public GitHub repositories, complicating efforts to trace their infrastructure or attribute the origin of the assaults. By leveraging readily available tools, the attackers effectively obfuscate the true source of the threat.
The compromised Nomad servers often manage fleets of hundreds of client nodes—granting attackers access to substantial computing power. If acquired legitimately via cloud services, such resources would incur costs amounting to tens of thousands of dollars monthly. Incidents like these underscore the growing appeal of exploiting public-facing DevOps platforms for illicit mining operations, where computational power appears virtually limitless.
Docker’s API has long been a favored target, enabling attackers to launch malicious containers and even mount the host file system. In May, Kaspersky Lab reported a series of large-scale attacks exploiting unsecured Docker instances to construct cryptocurrency-mining botnets.
Gitea—an open-source solution for hosting Git repositories—has also proven vulnerable due to misconfigurations and outdated versions. If an attacker gains access to an account with git hook creation privileges, or if the instance is running version 1.4.0 or lacks proper installation locking (INSTALL_LOCK=false), remote code execution becomes possible.
Consul, when misconfigured, presents similar risks. Any user with remote access can register new services and assign health checks, which in practice equates to executing arbitrary bash commands.
During the JINX-0132 campaign, attackers deployed malicious health checks disguised as legitimate services, which in reality downloaded and executed XMRig—a widely used tool for mining Monero.
A similar approach is used against Nomad. When a publicly accessible Nomad server lacks robust configuration, an attacker can submit jobs that automatically fetch and run XMRig from GitHub. This is due to the overly permissive default settings of Nomad’s server component, which effectively allow remote code execution across connected nodes.
According to data from Shodan, over 5,300 Consul servers and more than 400 Nomad instances are exposed worldwide, with the highest concentrations found in China, the United States, Germany, Singapore, Finland, the Netherlands, and the United Kingdom.
In a parallel discovery, researchers at Sysdig identified another campaign exploiting misconfigured Open WebUI servers to inject malicious Python scripts for cryptomining on both Linux and Windows environments. The interface allowed remote uploading and execution of third-party scripts—a capability quickly leveraged by threat actors. Their payload downloaded and launched T-Rex and XMRig miners, while also establishing system services to ensure persistence. To remain undetected, the attackers used obfuscation tools like processhider and argvhider.
On Windows, the attack included downloading the Java Development Kit to execute a malicious JAR file hosted on a remote server. This payload then retrieved an additional module designed to steal credentials from Discord and cryptocurrency wallets stored in Google Chrome.
Sysdig reports that over 17,000 Open WebUI instances are exposed online, though the exact number of vulnerable systems remains unknown. Experts stress that misconfigured public-facing systems continue to be one of the leading causes of major security breaches—with cryptominers representing merely the visible tip of the iceberg. In the case of Windows, attackers employ even more sophisticated methods for evasion and data theft, posing a heightened threat to organizations operating hybrid or cloud-based infrastructures.
Donate