A new malware targeting container infrastructures has quickly spread worldwide, converting breached containers into automated “zombie” miners of cryptocurrencies. The attack specifically exploits vulnerable Docker APIs, often accessible through Port 2375.
According to Kaspersky Laboratory, the attackers infiltrate the system, deploy infected containers, and set off a continuous self-replicating cycle. Each compromised container serves as a launching point for subsequent attacks, forming a decentralized network of digital zombies.
The primary objective is the open Docker API, through which the attackers can expand infected container images and inject malicious code. Two executable files, written in GO and packed with UPX, are downloaded during the compromise.
One of the files masquerades as the nginx web server and performs distribution functions (identified as trojan.linux.agent.gen), while the other acts as the Dero cryptocurrency miner named “Cloud” (identified as risktool.linux.miner.gen).
An infected container logs activities in “/var/log/nginx.log” and creates a version file in “/usr/bin/version.dat” to differentiate already infected targets. The malware then conducts active scanning of random IPV4 subnetworks using the Masscan utility to locate other vulnerable Docker APIs.
When identifying a suitable target, new malicious containers are generated with random 12-character names and proceed to attack remote hosts, primarily running Ubuntu 18.04. Each new container is automatically equipped with necessary tools, such as Masscan and Docker.io, along with copies of the malware.
The distribution process is entirely automated and does not rely on a command server (C2), making the attack highly dangerous due to its scalability and rapid infection rate.
The Cloud miner is derived from the open-source Derohe Cli project and utilizes encrypted settings, including wallet addresses and nodes deciphered at runtime using the AES-CTR algorithm. In the event of mining interruption, the “nginx” module automatically restarts the process, ensuring continuous Dero production on victim resources.
Unlike more discreet attacks on Kubernetes, this current campaign aggressively infiltrates neighboring networks without concealment, focusing on mass and speed. As of April 2025, Shodan has identified 520 vulnerable Docker APIs worldwide susceptible to this type of attack.
The autonomous nature of the zombie network, lack of C2 infrastructure, and high level of automation make this threat particularly challenging and destructive. Kaspersky Laboratory experts emphasize that effective protection requires specialized container security solutions.
This attack underscores the critical importance of not only securing initial container images but also safeguarding their runtime environments. Without proper controls in place, any vulnerable point can serve as