A sophisticated new malware campaign has been uncovered that leverages Docker Hub as its initial attack vector.
This campaign is notable for its use of advanced, multi-layered obfuscation techniques, complicating both detection by security tools and manual analysis by researchers.
The attack centers on a publicly hosted Docker image, kazutod/tene:ten, which contains a Python script (ten.py) as its primary payload each stage ingeniously shielded by layered encoding and compression.
Upon deployment, the malicious Docker image executes the embedded ten.py script.
Initial analysis reveals an elaborate obfuscation mechanism: the script reverses a Base64 string, decodes it, and subsequently decompresses it using zlib all nested within a Python lambda function.
This process is not a one-off; instead, it recursively decodes and decompresses payloads over 60 successive iterations, each invoking the execution of a further-obfuscated string.
This repeated layering appears designed to thwart both automated static analysis and signature-based detection engines.
While this multitude of layers could, in theory, hinder reverse engineering, security analysts demonstrated that decoding the payloads remains feasible, albeit time-consuming.
Shift in Cryptojacking Techniques
Once fully de-obfuscated, the underlying code reveals a deviation from traditional cryptojacking methods.
Instead of directly leveraging computing resources to mine cryptocurrencies such as Monero, the malware initiates a network connection to teneo[.]pro, a site associated with a legitimate Web3 startup.
The script establishes a persistent WebSocket session, periodically sending keep-alive pings to accumulate “Teneo Points” the startup’s proprietary crypto token.
This activity does not conduct any data scraping but instead exploits the reward system, earning cryptocurrency tokens based merely on connection heartbeats, thus circumventing more detectable mining activities.
The attacker’s Docker Hub profile suggests a broader campaign, employing similar containers to interface with distributed computing networks, possibly for monetization through private or semi-closed crypto ecosystems.
Unlike highly detectable mining software like XMRig, these new methods harness the incentives of decentralized applications making attribution and profit estimation more challenging, as private tokens lack public transaction visibility or established market pricing.
Implications and Defensive Measures
According to the Report, this campaign underscores the growing sophistication of threat actors targeting Docker environments, exploiting both technical vulnerabilities and trust in community-driven platforms.
Docker remains highly susceptible to exploitation, particularly when services are exposed to the internet without proper authentication or network segmentation.
The evolving use of obfuscation combined with the pivot from direct mining to more covert, incentive-based monetization highlights the importance of comprehensive defense-in-depth strategies.
Administrators are urged to avoid unnecessary exposure of Docker services, enforce strict authentication, and apply network firewalls to limit unauthorized access.
The capacity to de-obfuscate multi-layered scripts remains essential for incident response teams, as attackers continue to refine their tactics to evade detection and maximize illicit gains.
As attackers innovate through the abuse of legitimate tools and emerging decentralized platforms, constant vigilance and adaptive security practices are paramount to defending modern containerized infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
