Ddos 
Infection chain | Image: Kaspersky
Kaspersky Labs has uncovered a disturbing new malware campaign that turns exposed Docker containers into self-replicating Dero cryptocurrency miners—and it does so without needing a command-and-control server.
“Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API… compromising the running ones, thus transforming them into new ‘zombies’ that will mine for Dero currency and continue ‘biting’ new victims,” the report begins.
The campaign, discovered during a compromise assessment by Kaspersky, involves two key malware components written in Go:
- nginx: A propagation worm disguised as the well-known web server.
- cloud: A customized Dero miner with encrypted, hardcoded wallet and node configurations.
Once an attacker finds an insecurely exposed Docker API, the malware:
- Hijacks the host by launching malicious containers.
- Installs masscan and Docker tools inside the container.
- Deploys the nginx and cloud implants for propagation and mining.
- Searches for other vulnerable Docker APIs and repeats the cycle.
“The malware does not require a C2 connection and also maintains its activity as long as there is an insecurely published Docker API that can be exploited to compromise running containers and create new ones,” warns Kaspersky.
The nginx binary pretends to be legitimate while executing malicious routines. It even logs its operations—including infected IPs and container status—to a file at /var/log/nginx.log.
The malware also creates and monitors a file, version.dat, inside compromised containers to avoid re-infection and ensure persistence. If the cloud mining process stops, nginx restarts it, maintaining an ongoing mining operation using the container’s resources.
“The nginx sample then executes the main.monitorCloudProcess function… to make sure that a process named cloud, which is a Dero miner, is running.”
Using masscan, the malware generates and scans random /16 IPv4 subnets looking for hosts with Docker port 2375 exposed. Once identified, it runs commands like: docker -H run -dt –name –restart always ubuntu:18.04 /bin/bash.
The malware proceeds to install masscan, docker.io, and itself onto the new container, setting up a new mining node. “The scanner is looking for an insecure Docker API published on the internet to exploit… via masscan -p 2375 -oL – –max-rate 360,” Kaspersky explains.
The Dero miner itself is adapted from the open-source DeroHE CLI project. It’s packed with UPX and uses AES-CTR encryption for its wallet and node configurations. Once decoded, researchers extracted the wallet address: dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y and node domains: d.windowsupdatesupport[.]link and h.wiNdowsupdatesupport[.]link.
Interestingly, this exact infrastructure was previously seen in Kubernetes cryptojacking campaigns, signaling a reused threat actor infrastructure and evolving tactics.
According to Shodan data cited in the report, as of April 2025, there were at least 520 Docker APIs publicly exposed on port 2375 worldwide.
“It highlights the potential destructive consequences of the described threat and emphasizes the need for thorough monitoring and container protection,” the report warns.
Kaspersky concludes, “Although attacks on containers are less frequent than on other systems, they are not less dangerous.”
Related Posts:
- Old Vulnerability, New Attacks: Botnets Swarm Exploited CVE-2023-1389 in TP-Link Routers
- Morris II: “Zero-Click” Worms Target AI-Powered Apps
- Log4j Campaign Exploited to Deploy XMRig Cryptominer
- Recruitment Scam Targets Job Seekers with Fake CrowdStrike Branding
- Cryptominers Exploit Exposed Jupyter Notebooks in Novel Campaign
Donate