- Attackers exploit exposed Docker APIs to deploy cryptojackers and scan for more targets
- The malware installs persistence tools, includes inactive code for Telnet and Chrome port attacks, and may evolve into a botnet
- Akamai urges isolating Docker, limiting exposed services, and more
Cybercriminals are targeting exposed Docker APIs to install cryptojackers, scan the internet for more potential victims, and possibly even build out a botnet.
Recently, security researchers from Akamai wrote an in-depth report about a new campaign, seemingly a continuation of a similar one that was spotted by Trend Micro in late June 2025.
The campaign revolves around looking for servers with Docker’s API exposed on port 2375. Once identified, the crooks create a new container and pull down a script from a hidden TOR browser (.onion) website.
Cryptojacking botnet
The script tweaks systems settings to establish persistence, installs scanning software like Masscan, and drops additional malware. This malware then scans the internet for other exposed instances, repeating the infection process.
The malware also has code that could attack Telnet (port 23) and Chromium’s debugging port (9222). For the former, it would brute-force weak routers and other devices, while for the latter it could hijack browser sessions and steal cookies and other data.
These parts aren’t active yet, but the code suggests they may be enabled later, the researchers said.
Right now, the campaign is mostly about cryptojacking – the instances are hijacked to mine the Monero cryptocurrency. But the extra code hints that attackers want to expand it into a botnet, which could steal data or launch large-scale DDoS attacks.
To prevent and mitigate these attacks, Akamai suggests four things every IT team can do. First, they should isolate the Docker environment from other parts of the network, since this limits the ability of the attackers to move laterally. They should also make sure they expose as few services as possible to the internet.
“This malware exploits the ports 2375, 9222, and 23 by accessing these from the internet, and blocking such access can totally mitigate the threat,” they said. Furthermore, when using the Chrome debugger port (9222), IT teams should use specific remote IP addresses instead of 0.0.0.0. and finally, when installing a new device, they should make sure to change the default credentials to something stronger.
Via The Hacker News
