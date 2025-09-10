Hackread reports that threat actors have exploited unsecured Docker APIs to facilitate the distribution of new malware that prevents external API access while deploying system control tools, marking an evolution from an earlier attack campaign discovered by Trend Micro that exploited such APIs for cryptocurrency mining malware delivery.After compromising the host filesystem, executing a Base64-encoded script, injecting persistence mechanisms, and impeding Docker API access, the nascent payload proceeds with the retrieval of a Go-based binary dropper that leverages masscan to determine active Docker APIs, suggesting the eventual creation of a botnet, according to an analysis from Akamai. Threat actors have been continuously developing the malware, as indicated by the presence of inactive Telnet and Chrome remote debugging port routines within its code. Organizations and individuals using Docker have been advised to restrict public access to APIs while tracking suspicious activity amid the ongoing development of the attack campaign.
Misconfigured Docker APIs targeted by novel malware
