Do Son 
A new malicious campaign targeting containerized infrastructures is spreading rapidly across the globe, transforming compromised containers into automated cryptocurrency-mining “zombies.” The attack primarily exploits vulnerable and misconfigured Docker API interfaces, most commonly exposed via port 2375.
According to Kaspersky Lab, threat actors infiltrate systems, launch infected containers, and initiate a continuous self-propagation cycle. Each compromised container becomes a launchpad for subsequent attacks, forming a decentralized swarm of digital zombies.
The primary targets are exposed Docker APIs, which allow attackers to deploy malicious container images and inject harmful code. Upon compromise, two executable files—written in Go and compressed with UPX—are downloaded.
The first file masquerades as an Nginx web server and serves as the propagation mechanism (detected as Trojan.Linux.Agent.gen), while the second is a Dero cryptocurrency miner named “cloud” (detected as RiskTool.Linux.Miner.gen).
The infected container logs its activity in /var/log/nginx.log and writes a version marker to /usr/bin/version.dat to differentiate previously infected targets. It then begins aggressively scanning random IPv4 subnets using the masscan utility, searching for additional exposed Docker APIs. Upon identifying a suitable host—typically based on Ubuntu 18.04—it deploys new malicious containers with randomly generated 12-character names to infect remote systems.
Each newly spawned container is automatically equipped with all necessary tools, including masscan, docker.io, and copies of the malware components. The propagation is fully automated and operates without a command-and-control (C2) server, making the campaign particularly dangerous due to its scalability and infection velocity.
The “cloud” miner is based on the open-source DeroHE CLI project and employs encrypted configurations, including a wallet address (dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y) and node addresses (d.windowsupdatesupport[.]link and h.wiNdowsupdatesupport[.]link), decrypted at runtime via the AES-CTR algorithm. If mining ceases, the Nginx module automatically restarts the process, ensuring uninterrupted exploitation of the victim’s resources.
Unlike the more sophisticated and stealthy campaigns targeting Kubernetes, this operation advances with brazen aggression—eschewing obfuscation in favor of speed and volume. As of April 2025, Shodan data indicates that 520 Docker API interfaces worldwide remain exposed to this form of attack.
The network’s autonomy, absence of centralized C2 infrastructure, and high level of automation render it especially elusive and destructive. According to Kaspersky experts, effective mitigation is achievable only through the deployment of dedicated container security solutions.
This campaign starkly illustrates the critical importance of securing not only the container images themselves but also their runtime environments. Without proper safeguards, any exposed entry point can serve as the origin of a widespread digital epidemic.
Donate