Tag: docker

10 Attack Reports | 0 Vulnerabilities

Attack reports

Dero miner spreads inside containerized Linux environments

A new Dero mining campaign is infecting containerized Linux environments through exposed Docker APIs. The attack uses two Golang malware components: 'nginx' for propagation and 'cloud' for mining. The 'nginx' malware scans for vulnerable Docker hosts, creates malicious containers, and compromises e…
linux
persistence
cloud
docker
cryptocurrency mining
container security
nginx
2025-05-21
dero
golang malware
port scanning
Published: May 21, 2025
Downloadable IOCs: 3

Dero miner zombies biting through Docker APIs to build a cryptojacking horde

A new Dero mining campaign exploits insecurely published Docker APIs to spread through containerized Linux environments. The attack uses two Golang malware implants: 'nginx' for propagation and 'cloud' for cryptocurrency mining. The 'nginx' malware scans for vulnerable Docker APIs, creates maliciou…
linux
cloud
exploitation
docker
cryptocurrency mining
nginx
2025-05-21
dero
containerized environments
golang malware
Published: May 21, 2025
Downloadable IOCs: 3

A Deep Dive into TeamTNT and Spinning YARN

TeamTNT is conducting a crypto mining campaign called Spinning YARN, targeting Docker, Redis, YARN, and Confluence. The attack involves server-side scripting vulnerabilities, obfuscated code, and malware deployment. The malware assesses the environment, disables cloud security, establishes persiste…
linux
obfuscation
xmrig
cloud security
docker
yarn
spinning yarn
confluence
2024-12-18
crypto mining
redis
platypus
Published: December 18, 2024
Downloadable IOCs: 35

Gafgyt Malware Broadens Its Scope in Recent Attacks

Trend Micro researchers have identified threat actors exploiting misconfigured Docker servers to spread Gafgyt malware, traditionally known for targeting IoT devices. This shift in behavior involves attackers creating Docker containers based on legitimate 'alpine' images to deploy the malware. The …
privilege-escalation
ddos
iot
botnet
gafgyt
docker
api
2024-12-03
lizkebab
container
bashlite
Published: December 3, 2024
Downloadable IOCs: 25

Docker Gatling Gun Campaign

Recent research has uncovered a new malicious campaign orchestrated by the notorious hacking group TeamTNT. This campaign exploits exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, utilizing compromised servers and Docker Hub as infrastructure for spreading their mali…
campaign
sliver
malicious
cryptomining
docker
tsunami
2024-10-26
exposed-daemons
cloud-native
container-security
docker-swarm
docker-hub
2024-10-29
prochider
Published: October 29, 2024
Downloadable IOCs: 11

Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

A malicious actor has been observed targeting Docker remote API servers to deploy the SRBMiner cryptominer for mining XRP cryptocurrency. The attacker utilizes the gRPC protocol over h2c (clear text HTTP/2 protocol) to evade security measures and execute cryptomining operations on Docker hosts. The…
cryptomining
docker
container security
2024-10-22
http/2
xrp
grpc
remote api
srbminer
Published: October 22, 2024
Downloadable IOCs: 2

Attackers Target Exposed Docker Remote API Servers With perfctl Malware

An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash scrip…
evasion
persistence
docker
privilege escalation
perfctl
2024-10-21
remote api
linux malware
container exploitation
Published: October 21, 2024
Downloadable IOCs: 6

Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hu…
xmrig
kubernetes
cryptojacking
docker
2024-09-25
container security
docker swarm
Published: September 25, 2024
Downloadable IOCs: 41

Attackers deploying new tactics in campaign targeting exposed Docker APIs

Datadog Security Researchers recently encountered a new campaign that targets Docker API endpoints publicly exposed without authentication, with the objective of spreading cryptojacking malware. The observed TTPs bear resemblance to those seen in Spinning YARN, another campaign discovered in March …
docker
2024-06-20
xmrig miner
compiler
yarn
docker host
spinning yarn
docker engine
mnt directory
go code
tencent
vurl
exeremo
chkstart
execstartpost
Published: June 20, 2024
Linked vulnerabilities : CVE-2023-22515, CVE-2022-26134
Downloadable IOCs: 37

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency m…
malware
cryptocurrency
cloud
2024-06-07
cryptojacking
docker
containers
ziggystartux
Published: June 7, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports