10.09.2025
2 min
525
Researchers have uncovered a new wave of attacks on open Docker APIs, where attackers are using Tor to hide their activity and lay the groundwork for a sophisticated botnet.
According to Akamai, the attackers target port 2375 by launching a container with a modified Alpine Linux image. Inside, malicious code is executed that provides Tor, inserts SSH access, inserts its own keys into authorized_keys, and creates cron jobs to block access to the Docker API. Tools for large-scale scanning, distribution, and defense bypass are also installed. The next stage involves downloading a Go binary that can detect active users, spread the infection to other hosts, and eliminate competing containers.
The first cases of activity were recorded by Trend Micro back in June, when the attacks were limited to cryptocurrency mining. Recent observations show an evolution: instead of a simple miner, attackers are now deploying multi-component malicious code with the potential for DDoS attacks, credential theft, and browser session hijacking. This demonstrates a shift from opportunistic use of Docker to the creation of a multi-vector cyberthreat infrastructure.
While researchers have yet to uncover the full botnet, it is already clear that the attacks are becoming more systematic and dangerous. The use of Tor, automatic self-propagation, and hidden modules indicate that cybercriminals are preparing for a larger-scale operation that could affect both companies and ordinary users.
