Cybersecurity researchers at Kaspersky have uncovered a sophisticated malware campaign that spreads through containerized environments like a digital zombie outbreak, automatically infecting Docker containers to mine Dero cryptocurrency without requiring traditional command-and-control infrastructure.
The attack begins when malicious actors exploit insecurely published Docker APIs exposed on the internet. Once inside a container, the malware deploys two key components: a propagation tool disguised as "nginx" and a cryptocurrency miner called "cloud." Both are written in Golang and packed with UPX compression to evade detection.
The nginx malware operates with remarkable autonomy. It continuously scans random IPv4 network subnets using the masscan tool, searching for systems with Docker API port 2375 exposed.
When vulnerable targets are discovered, the malware creates new malicious containers and compromises existing Ubuntu 18.04-based containers that haven't been previously infected.
What makes this campaign particularly dangerous is its self-replicating nature. Each infected container becomes a new infection source, automatically spreading to other vulnerable systems without human intervention.
The malware maintains persistence by embedding itself in container startup processes and uses a "version.dat" file to track infected systems.
The cryptocurrency mining component targets Dero, a privacy-focused digital currency. Researchers decoded the hardcoded wallet address and discovered connections to previous campaigns targeting Kubernetes clusters throughout 2023 and 2024.
Kaspersky's analysis reveals that as of April 2025, approximately 520 Docker APIs remain exposed worldwide on port 2375, highlighting the scope of potential targets.
This automated propagation method represents a significant evolution in container-based attacks, demonstrating how containerized infrastructure can become both a victim and a vector in modern cyber threats.
Organizations running containerized environments should immediately secure Docker APIs, implement proper access controls, and deploy comprehensive container monitoring solutions to detect such sophisticated attacks.