Uncovering a Tor-Enabled Docker Exploit

June 18, 2025, 11:27 a.m.

Description

A sophisticated attack campaign exploits exposed Docker Remote APIs and leverages the Tor network to deploy stealthy cryptocurrency miners. The attackers gain access to containerized environments, use Tor to mask their activities, and employ the ZStandard compression algorithm for efficient payload delivery. The attack sequence involves initial access through the Docker API, container creation with host system access, deployment of a malicious script, SSH configuration modification for persistent access, installation of supporting tools, and finally the execution of an XMRig crypto miner. This campaign particularly targets cloud-heavy sectors like technology, finance, and healthcare. The attackers demonstrate advanced evasion techniques and utilize various MITRE ATT&CK framework tactics.

Date

  • Created: June 18, 2025, 10:52 a.m.
  • Published: June 18, 2025, 10:52 a.m.
  • Modified: June 18, 2025, 11:27 a.m.

Indicators

  • f185d41df90878555a0328c19b86e7e9663497384d6b3aae80cb93dbbd591740
  • b9b8a041ff1d71aaea1c9d353cc79f6d59ec03c781f34d731c3f00b85dc7ecd8
  • 1bb95a02f1c12c142e4e34014412608668c56502f28520c07cad979fa8ea6455
  • 04b307515dd8179f9c9855aa6803b333adb3e3475a0ecc688b698957f9f750ad
  • wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion
  • 2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion

Attack Patterns

Additional Informations

  • Technology
  • Healthcare
  • Finance

Linked vulnerabilities