• Cyber Syrup
  • Posts
  • Docker API Misconfigurations Abused in Cryptocurrency Mining Botnet Campaign

Docker API Misconfigurations Abused in Cryptocurrency Mining Botnet Campaign

Cybersecurity researchers have uncovered a new malware campaign targeting misconfigured Docker API instances, turning them into part of a cryptocurrency mining botnet

May 28, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

Docker API Misconfigurations Abused in Cryptocurrency Mining Botnet Campaign

Cybersecurity researchers have uncovered a new malware campaign targeting misconfigured Docker API instances, turning them into part of a cryptocurrency mining botnet. The campaign, focused on mining Dero cryptocurrency, is notable for its worm-like propagation techniques that allow it to autonomously spread across vulnerable infrastructure.

The activity was observed by Kaspersky, which noted that an unidentified threat actor exploited insecurely exposed Docker APIs to gain initial access and deploy malware components. The attack leverages this access not only to hijack resources for mining but also to launch external attacks to compromise additional systems.

Attack Mechanics: Two-Part Payload

The campaign is executed using two Golang-based components:

  1. “nginx” Propagation Tool – Masquerading as a legitimate web server, this component scans the internet for exposed Docker APIs (port 2375), attempting to deploy malicious containers on vulnerable hosts.

  2. “cloud” Miner – A modified version of the DeroHE CLI miner, this payload handles the actual cryptocurrency mining.

By naming the first binary “nginx,” the attackers aim to blend in with legitimate traffic and system processes, making detection more difficult.

Propagation Tactics

Once the malware identifies a vulnerable Docker instance, it initiates a multi-step infection chain:

  • Random IP Generation: The “nginx” binary generates random IPv4 subnet addresses.

  • Port Check: It attempts to connect to the default Docker API port (2375).

  • Remote Access Validation: It checks whether the remote dockerd daemon is active using commands like docker -H ps. If unsuccessful, it moves on to the next IP.

  • Container Creation: Upon finding an active and responsive daemon, it creates a malicious container using a randomly generated name.

  • Tool Installation: Inside the container, it installs masscan (for scanning) and docker.io (for Docker interaction).

  • Payload Deployment: The nginx and cloud binaries are transferred to the container via docker -H cp.

To ensure persistence, the nginx binary is added to the /root/.bash_aliases file, making it execute automatically upon shell login.

The malware can also infect existing Ubuntu-based containers, extending its reach within the target’s infrastructure.

Mining Objective: Dero Cryptocurrency

The ultimate goal of the campaign is to mine Dero, a privacy-centric cryptocurrency known for its CPU-friendliness and anonymity features. The mining operations are based on the open-source DeroHE miner, which has been customized and embedded within the attack chain.

Kaspersky researchers linked this campaign to previous Dero mining activity observed by CrowdStrike in March 2023 and later flagged by Wiz in June 2024, based on overlapping wallet addresses and derod nodes.

“The two malicious implants spread without a C2 server, making any network that has a containerized infrastructure and insecurely published Docker API to the internet a potential target,” said Kaspersky's Amged Wageh.

Related Campaign: Monero Mining and PyBitmessage Backdoor

In parallel, the AhnLab Security Intelligence Center (ASEC) reported a separate campaign that distributes Monero miners alongside a previously unseen Python-based backdoor. This backdoor uses PyBitmessage, a peer-to-peer encrypted messaging protocol, to receive and execute PowerShell-based commands.

Key Details:

  • C2 commands are transmitted via encrypted Bitmessage packets.

  • These messages are embedded within legitimate traffic to evade detection.

  • Distribution vector is suspected to involve cracked software, reinforcing the importance of downloading software from trusted sources only.

“Threat actors exploited the PyBitmessage module to exchange encrypted packets that resemble normal web traffic,” ASEC noted. “Control messages are hidden within messages from real users.”

Security Recommendations

The growing exploitation of containerized environments underscores the importance of:

  • Disabling unsecured Docker APIs exposed to the internet.

  • Enforcing strong firewall rules and access controls for Docker environments.

  • Using monitoring and logging tools to detect abnormal container activity.

  • Avoiding untrusted software and ensuring all downloads come from verified sources.

Conclusion

The misuse of misconfigured Docker APIs to build automated, self-propagating cryptomining botnets is a stark reminder of the vulnerabilities in container orchestration environments. With attackers increasingly targeting infrastructure-as-code platforms, securing cloud-native applications has become a top priority for organizations of all sizes.