A new malware campaign targets misconfigured Docker API instances, transforming them into a cryptocurrency mining botnet that propagates itself across exposed Docker environments. The attack uses Golang-based malware to deploy Dero miners, leveraging worm-like propagation to infect other containers and networks. #DockerAPI #Dero #Cryptojacking #MalwarePropagation
Keypoints
- The campaign exploits insecurely published Docker APIs to gain initial access.
- Malware variants include a propagation tool called βnginxβ that scans the internet for vulnerable instances.
- The malware creates malicious containers that install dependencies and spread further via Docker daemon interactions.
- Persistence is maintained by adding malware binaries to user login scripts, ensuring automatic reactivation.
- The campaign overlaps with previous Dero mining activities and targets containerized infrastructures using default API ports.
Read More: https://thehackernews.com/2025/05/new-self-spreading-malware-infects.html