Keypoints
- JFrog identified ~4.6M imageless Docker Hub repositories; ~2.81M (~18.7% of public repos) were linked to three large malicious campaigns.
- The campaigns (Downloader, eBook Phishing, Website SEO) created repositories that contained only documentation/metadata with links to phishing pages or malware downloads.
- Delivery techniques included impersonated URL shorteners, redirects via legitimate services (blogger.com), and exploitation of a Google redirect parameter to hide final destinations.
- The Downloader payload is a Delphi-built executable (detected generically as a trojan) that installs freehtmlvalidator.exe and communicates with a C2 at soneservice[.]shop via HTTP POST with XOR/hex-encoded JSON.
- The malware checks system locale and environment, receives offers and download URLs from the C2 (with geo/AV exclusions), and achieves persistence by creating scheduled tasks (SCHTASKS.exe).
- Campaigns used automated account creation and different distribution patterns: burst uploads (Downloader, eBook Phishing) and slow, long-running single-repo-per-user uploads (Website SEO).
- JFrog disclosed findings to Docker; Docker removed the reported repositories, highlighting the need to prefer Docker “Trusted Content” and continuous registry monitoring.
MITRE Techniques
- [T1566.002] Phishing: Link – Malicious repository descriptions contained links that redirected users to phishing pages (‘the overview page tries to deceive users into visiting phishing websites or websites that host dangerous malware’).
- [T1566.003] Phishing via Service – Attackers abused Docker Hub as the distribution/platform vector to lure victims (‘attackers tried to leverage Docker Hub’s platform credibility’).
- [T1189] Drive-by Compromise – Landing pages served archives with an EXE installer and prompted downloads (‘the downloaded file is always the same archive with an EXE installer… installs a binary called freehtmlvalidator.exe into the directory “%LOCALAPPDATA%HTML Free Validator”’).
- [T1071.001] Application Layer Protocol: Web Protocols – Malware used HTTP POST to communicate with C2 at soneservice[.]shop/new/net_api (‘communicates with the C2C server http://soneservice[.]shop/new/net_api using HTTP POST requests’).
- [T1027] Obfuscated Files or Information – C2 communication used simple obfuscation (XOR + hex) for its JSON payloads (‘The request is a JSON message XORed with the three-byte key “787” and encoded in hex.’).
- [T1053.005] Scheduled Task/Job – The malware established persistence by creating scheduled tasks via SCHTASKS.exe (‘SCHTASKS.exe /Create /TN <random_name> /RL HIGHEST /SC DAILY’).
Indicators of Compromise
- [Domain] malicious landing pages and redirect infrastructure – failhostingpolp[.]ru, rd[.]lesac[.]ru, and 30+ other domains used as shorteners or landing sites.
- [Filename] malicious executable installed on victims – freehtmlvalidator.exe (installed into %LOCALAPPDATA%HTML Free Validator) used by the Downloader campaign.
- [C2 URL] command-and-control endpoint for downloader payload – http://soneservice[.]shop/new/net_api (HTTP POST with XOR/hex-encoded JSON requests).
- [Download URL] example payload distribution link – totrakto[.]com/CRACK-IDA-Pro-V6-8-150423-And-HEX-Rays-Decompiler-ARM-X86-X64-iDAPROl.zip (example returned by C2 as promised file).
JFrog’s analysis focused on identifying anomalous “imageless” repositories, grouping them by creation-date spikes, and deriving a signature based on repeated metadata patterns. The researchers pulled all imageless repositories from the past five years, spotted two large spike periods (2021, 2023) and weekday creation patterns, and classified accounts that produced these signatures into campaign families (Downloader, eBook Phishing, Website SEO). Using these signatures they linked ~2.81M repositories to coordinated operations and smaller “other suspicious” sets.
Delivery used link obfuscation and legitimate-service redirection to evade detection: actors created impersonated URL shorteners that mapped to rotating malicious CDNs, hosted redirector JavaScript on blogger.com (delaying redirect by 500 ms), and exploited an undocumented Google /url parameter to produce automatic redirects to malicious landing pages. eBook Phishing repositories funneled users to rd[.]lesac[.]ru and similar domains that served geo-targeted pages designed to capture payment details, while Downloader repos pointed to pages that delivered the same EXE installer archive.
The Downloader payload is a Delphi-based trojan that performs an initialization handshake with the C2 (sending a XOR/hex-encoded JSON “getinitializationdata” including a unique lid and locale), receives offers and download URLs, and enforces install conditions (geo exclusions and AV blacklists) before prompting the user to install. After user acceptance the payload downloads additional binaries and schedules persistent execution via SCHTASKS. Detection and mitigation recommendations include consuming only Docker-trusted images (Official/Verified/Sponsored) and continuous registry monitoring for imageless-repo anomalies and abusive metadata links.