Cybersecurity researchers have identified an evolution in cryptojacking campaigns that exploit misconfigured Docker APIs, leveraging the TOR network to enhance anonymity and evade detection. This sophisticated attack not only mines cryptocurrency illicitly but also establishes a foundation for potential botnet operations.
Initial Discovery and Attack Mechanism
In June 2025, Trend Micro uncovered a malicious campaign targeting exposed Docker instances. Attackers exploited these misconfigurations to deploy XMRig cryptocurrency miners, utilizing TOR domains to conceal their activities. The attack sequence began with unauthorized access to Docker APIs, followed by the creation of new containers based on the Alpine Docker image. These containers mounted the host file system, allowing attackers to execute Base64-encoded payloads that downloaded and ran shell scripts from .onion domains. These scripts modified SSH configurations to establish persistence and installed tools like masscan and torsocks for reconnaissance and communication with command-and-control (C2) servers.
Recent Developments and Enhanced Tactics
Building upon these findings, Akamai’s research in August 2025 revealed a variant of the original campaign with expanded capabilities. This new strain not only continues to exploit misconfigured Docker APIs but also implements measures to prevent other malicious actors from accessing the compromised Docker API, effectively monopolizing control over the infected systems.
The attack chain remains consistent:
1. Unauthorized Access: Attackers gain entry through exposed Docker APIs.
2. Container Deployment: They create containers using the Alpine Docker image, mounting the host file system.
3. Payload Execution: A Base64-encoded payload is executed to download a shell script from a .onion domain.
4. Persistence and Tool Installation: The script alters SSH configurations for persistent access and installs tools such as masscan, libpcap, and torsocks.
A notable addition in this variant is the deployment of a Go-written dropper that includes its payload, eliminating the need for external communication during the initial stages. This dropper parses the utmp file to identify currently logged-in users, even incorporating emojis in its source code to represent user sessions—a detail suggesting the possible use of large language models (LLMs) in its development.
Propagation and Potential Botnet Formation
The dropper utilizes Masscan to identify other systems with open Docker API ports (port 2375), replicating the infection process across these machines. Additionally, the malware checks for open ports 23 (Telnet) and 9222 (Chromium remote debugging), indicating plans to expand its propagation methods.
– Telnet Exploitation: The malware attempts to brute-force access using default credentials for routers and devices, sending successful login details to a specified endpoint.
– Chromium Remote Debugging: By interacting with open remote debugging ports, the malware can attach to existing browser sessions, potentially exfiltrating sensitive data or enlisting devices into a botnet for further malicious activities.
While the current implementation does not fully exploit these additional ports, the existing codebase suggests an intent to develop these capabilities, posing a significant threat to internet-connected systems.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement the following measures:
– Secure Docker Configurations: Ensure Docker APIs are not exposed to the internet without proper authentication and authorization mechanisms.
– Regular Updates and Patching: Keep all systems, including Docker and associated tools, updated to mitigate vulnerabilities.
– Network Monitoring: Deploy monitoring solutions to detect unusual activities, such as unauthorized container creation or unexpected network traffic patterns.
– Access Controls: Restrict SSH access to trusted IP addresses and disable password authentication in favor of key-based authentication.
– User Education: Train staff on the risks of default credentials and the importance of changing them to strong, unique passwords.
By proactively implementing these strategies, organizations can reduce the risk of falling victim to evolving cryptojacking campaigns that exploit misconfigured Docker APIs and leverage the TOR network for anonymity.
