Kaspersky Security Services experts have identified a sophisticated cyberattack campaign targeting containerized environments to deploy a miner for the Dero cryptocurrency. The attackers abuse exposed Docker APIs — parts of Docker, an open-source container development platform. In 2025, there are a significant number of Docker API default ports that are insecurely published, accounting for almost 500 occurrences worldwide on average each month. In the discovered campaign, cybercriminals inject two types of malwares into the compromised systems: one is the miner itself and the other is a propagation malware that can spread the campaign to other insecure container networks.
Kaspersky experts discovered this malicious campaign as part of a compromise assessment project. According to expert estimates, any organization that operates containerized infrastructure — while exposing Docker APIs without robust security controls — can be a potential target. These may include technology companies, software development firms, hosting providers, cloud service providers and more enterprises.
According to Shodan, in 2025, there are 485 published Docker API default ports[1] worldwide each month on average. This figure illustrates the campaign’s potential attack surface by tallying the “entry points” — or insecurely exposed ports that attackers might target. China accounted for the largest average number monthly — nearly 138 occurrences — followed by Germany (97), the U.S. (58), Brazil (16), and Singapore (13).
Once attackers identify an insecurely published Docker API, they either compromise existing containers or create new malicious ones based on a legitimate standard Ubuntu image. They then inject two malware types into the compromised containers: “nginx” and “cloud”. The latter is a Dero cryptocurrency miner, while “nginx” is a malicious software that maintains persistence, ensures execution of the miner and scans for other exposed environments. This malware allows attackers to operate without traditional Command-and-Control (C2) servers; instead, each infected container independently scans the internet and can spread the miner to new targets.
An infection chain scheme
“This demonstrates that the campaign has the potential for exponential growth of infections, with each compromised container acting as a new source of attack, if security measures are not immediately put in place in the potentially targeted networks,” explains Amged Wageh, an incident response and a compromise assessment expert at Kaspersky Security Services. “Сontainers are foundational to software development, deployment, and scalability. Their widespread use across cloud-native environments, DevOps, and microservices architectures makes them an attractive target for cyber attackers. This growing reliance demands organizations adopt a 360-degree approach to security — combining robust security solutions with proactive threat hunting and regular compromise assessments”.
The attackers embedded the names “nginx” and “cloud” directly in the binary — an inflexible executable file composed of instructions and data for the processor, not for humans. This is a classic masquerading tactic that lets the payload pose as a legitimate tool, trying to deceive both analysts and automated defenses.
The full technical analysis is available on Securelist. Kaspersky products detect these
malicious implants with the following verdicts: Trojan.Linux.Agent.gen and
RiskTool.Linux.Miner.gen.
To mitigate against container-related threats, Kaspersky recommends:
● Companies that use Docker APIs should immediately review the security of any potentially exposed infrastructure — specifically, refrain from publishing the Docker APIs unless there is an operational need and consider securing the published Docker APIs via TLS.
● Uncover active cyberattacks and previous unknown attacks that flew under the radar with Kaspersky Compromise Assessment.
● Containerization is the most popular application development method at the moment. But risks can emerge in each component of a container’s infrastructure and may heavily impact business processes. The protection of containerized environments is crucial and requires specialized security solutions.Kaspersky Container Security provides security for all stages of containerized application development. Besides the development process, the solution protects runtime, for example, it controls the launch of only trusted containers, the operation of the applications and services inside the containers and monitors the traffic.
● Adopt managed security services by Kaspersky such asCompromise Assessment,Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers.
The Security Services
Delivering
hundreds of information security projects every year for Fortune 500
organizations worldwide: incident response, managed detection, SOC consulting,
red teaming, penetration testing, application security, digital risks
protection.
[1] Analysis includes insecurely published Docker’s default API port 2375
