Emerging Botnet Threat Exploits Exposed Docker APIs

Security researchers have identified a new threat campaign exploiting exposed Docker APIs to deploy advanced malware that could serve as the basis for a botnet, writes Bill Toulas in BleepingComputer.

Initially detected in June by Trend Micro as a cryptominer campaign leveraging Tor for anonymity, the operation has since evolved.

Akamai researchers have recently discovered updated tools that replace the cryptominer with multi-stage payloads, capable of blocking access to compromised Docker APIs, securing control, and enabling persistent access to infected systems.

The attack begins by scanning for vulnerable Docker API endpoints on port 2375.

Upon identifying a target, the threat actor sends a container creation request using a modified Alpine Linux image that contains a base64-encoded shell command.

This script installs tools like curl and Tor, establishes a Tor connection for anonymity, and retrieves a second-stage script from a Tor hidden service.

The second-stage script adds an attacker-controlled SSH key for persistent access, creates a cron job to block further API access on port 2375, and installs utilities to facilitate scanning, propagation, and evasion.

The infection culminates in downloading and running a Zstandard-compressed Go binary, which acts as a dropper for an embedded second-stage payload.

The binary scans for other exposed Docker APIs, infects them using the same technique, and removes competitor containers.

Akamai also observed inactive code suggesting future expansion to exploit Telnet and Chrome’s remote debugging interface, potentially enabling credential theft, browser hijacking, and DDoS attacks.

This technique signals a shift in attacker priorities from opportunistic exploitation to structured, botnet-style operations. By blocking others’ access, the attackers effectively monopolize compromised endpoints and reduce competition from rival threat actors.

The absence of a cryptominer in the payload suggests that resource hijacking is no longer the primary objective, which increases the risk that these compromised Docker environments will be leveraged for future distributed attacks.

Lawyers should check whether the client’s CISOs have implemented network segmentation, enforced authentication, and whether they continuously monitor for suspicious container activity.