As cybersecurity researchers monitor the evolving terrain of containerized infrastructure threats, a sophisticated self-propagating malware campaign has emerged that exploits exposed Docker APIs to establish autonomous cryptocurrency mining operations across vulnerable systems. The malware particularly targets Docker APIs exposed on TCP port 2375, with Shodan data revealing approximately 520 vulnerable endpoints globally as of April 2025.
The attack vector requires no user interaction, leveraging misconfigurations in Docker deployments to gain unauthorized access. Once initial infiltration occurs, the malware generates random IPv4 /16 subnets to systematically scan for additional vulnerable targets, employing automated tools like masscan for efficient port detection.
The malware autonomously propagates through misconfigured Docker APIs, scanning random subnets with masscan to identify and compromise additional vulnerable endpoints.
Upon identifying responsive Docker daemons, attackers remotely deploy malicious Ubuntu 18.04-based containers that serve as both propagation nodes and mining operations.
The malware architecture consists of two primary Go-language modules, both obfuscated using UPX packing to evade detection systems. The “nginx” component handles propagation activities while masquerading as legitimate web server software, whereas the “cloud” module manages cryptocurrency mining operations based on the DeroHE CLI mining project.
These components operate with encrypted configurations and hardcoded wallet details to prevent easy analysis and extraction.
Persistence mechanisms guarantee long-term infection survival through strategic file placement and system modifications. The malware copies binaries to `/usr/bin/` directories and modifies `/root/.bash_aliases` to assure automatic execution during shell login processes.
This approach maintains operational continuity even through container restarts and system reboots. This campaign demonstrates an evolution of earlier cryptojacking operations targeting container environments.
The campaign’s most notable characteristic involves its decentralized architecture, eliminating traditional command-and-control infrastructure requirements. Each infected container functions autonomously as both a scanning node and mining operation, secretly extracting Dero cryptocurrency while forwarding proceeds to attackers’ wallets.
The mining component decrypts wallet and node information at runtime to establish direct connections with the Dero network. The malware creates distinctive infection markers like /usr/bin/version.dat sentinel files to identify and avoid reinfecting previously compromised containers.
This worm-like propagation model facilitates exponential growth potential, with every compromised container actively seeking additional vulnerable targets. The combination of automated scanning, remote deployment capabilities, and persistent mining operations creates a self-sustaining botnet that operates largely undetected across containerized environments, highlighting critical security gaps in Docker API exposure practices.
