A newly discovered strain of a cryptomining malware, first reported in June 2025, has evolved to target exposed Docker APIs instead of relying on Docker escape techniques as before.
According to security researchers from Akamai’s Hunt Team, the new variant has also shifted focus towards setting up backdoors and persistence, along with efforts to block API access to rivals.
“The new strain was last seen in August 2025 in Akamai’s infrastructure of honeypots,” Yonathan Gilvarg, a senior security researcher on Akamai Hunt Team, said in a blog post. “The variant discovered by Akamai Hunt doesn’t drop a cryptominer but instead drops a file containing other previously used tools along with infection capabilities beyond those of the original strain.”
The strain builds on a variant reported by Trend Micro in June, but differs in both its binary payloads and its initial access methods, Gitvarg noted.
Initial access through exposed APIs
The key infection vectors here are misconfigured Docker APIs exposed to the internet, typically on port 2375. Attackers use them to launch a container (often using the lightweight Linux ‘alpine’ image), mount the host filesystem, then execute Base64-encoded scripts fetched via Tor. These scripts, in their first stage, install tools like curl, tor, mass-scanning tools, and then in stage two download and run malicious components.
Once inside, the malware initiates several persistence and evasion measures, which include appending a malicious public SSH key to the root user’s authorized keys, setting up cron jobs, and mounting host directories to maintain visibility and control.
“Analysis of the script (used in the strain) indicates that it performs multiple persistence and defense evasion steps, including denying future access to the exposed instance, which is something we’ve not seen in previous variants,” Gilvarg said.
Common practices that may leave Docker APIs exposed to public access include running the Docker API without transport layer security (TLS) for convenience, binding to 0.0.0.0 instead of localhost, cloud deployments with weak firewall rules, and using third-party orchestration or monitoring tools that require constant Docker API access.
The variant has creative twists
Setting the variant apart is its move to deny others access to the same Docker API, effectively monopolizing the attack surface. It tries to modify firewall settings (iptables, nft, firewall-cmd, etc.) via a cron job to drop or reject incoming connections to port 2375. A cron job is a scheduled task on Linux systems that runs automatically at specified times or intervals.
“The ‘crontab’ file is on the host itself, as the attacker mounted it when they created the container,” Gitvarg added. “This is a new section in the code that we haven’t seen in previous variants, which is currently not detected in VirusTotal.” Additionally, the malware includes logic (even if not yet fully active) to scan for and potentially exploit other services, e.g., Telnet (port 23) and Chrome’s remote debugging port (9222). These could allow credential theft, data exfiltration, or remote browser session hijacking. Akamai warns that while these capabilities aren’t fully leveraged yet, their presence suggests the malware may evolve into a more complex botnet.
No Responses