Akamai’s Hunt Team has reported a new variant of malware targeting exposed Docker APIs, expanding on a campaign first documented earlier this summer. The initial strain, detailed by Trend Micro in June 2025, used misconfigured Docker services to install a cryptominer delivered through a Tor domain.
In Akamai’s latest research, which the company shared with Hackread.com, based on honeypot activity from August, the malware shows a different objective. Instead of dropping a miner, it blocks external access to the Docker API and installs tools for system control, suggesting the operators are preparing for something larger than cryptocurrency mining.
According to Akamai’s blog post, attackers are still exploiting exposed Docker APIs to get inside, but what they do after gaining access has changed. In this new variant, the malware gains access to the host filesystem, runs a Base64-encoded script, and installs persistence mechanisms while also blocking port 2375 to keep other attackers out.
Building Toward a Botnet
From there, the infection pulls down a binary dropper written in Go. The code includes unusual details, such as a “user” emoji that hints it may have been built with help from a large language model (LLM).
Additionally, the dropper scans for active Docker APIs using masscan, then attempts to repeat the infection cycle across other servers. This creates the beginnings of a self-propagating network, an early sign of a botnet creation.
The current activity aims at exploiting Docker APIs, but the code also contains routines for Telnet and Chrome’s remote debugging port. Those features are not active yet, although they suggest the operators may be testing ways to expand the malware’s reach in future versions.
Clearing Out Competitors
Akamai’s analysis also showed that the malware is selective when dealing with competition. It checks for containers running Ubuntu, which are often used by other threat actors to host cryptominers. By removing them, the attackers consolidate control over compromised servers, reinforcing the impression that this campaign is about building infrastructure rather than harvesting quick returns.
The research relied heavily on Beelzebub, an open-source honeypot project that simulates high-interaction services. By mimicking Docker’s API responses, Akamai was able to lure attackers into revealing their tactics in a controlled environment and publish indicators of compromise, including two onion domains, a webhook address, and file hashes linked to the malware.
Researchers say the campaign is still developing, and attackers are already changing how they use exposed Docker APIs. For Docker users, keeping APIs off the public internet and monitoring activity closely remain the most effective steps to cut the risk of compromise.
