Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Exposed Docker API malware botnet-building tooling

Malware Activity
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

Updated malware targeting exposed Docker APIs now self-replicates, establishes persistent SSH access, and blocks port 2375, raising the risk of a durable botnet across compromised hosts. The chain uses Tor hidden services to fetch docker-init.sh and pulls system-linux-ARCH.zst as a second-stage payload. It also installs masscan, zstd, libpcap, and torsocks to support scanning, propagation, and evasion. Dormant logic for Telnet and Chrome remote debugging suggests room for future credential theft and browser hijacking.

Related Happenings

PCPJack Linux cloud credential-theft and persistence framework

Malware Activity
H score49 First: 07.05.2026 21:35 Last: 07.05.2026 21:35 Sources 1

About this happening: **PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...

Latest development: 05.06.2026 08:34

Hunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.

Open Happening

PCPJack worm-like credential theft framework

Malware Activity
H score45 First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

Open Happening

Quasar Linux (QLNX) Linux RAT targeting developer credentials

Malware Activity
H score16 First: 06.05.2026 12:48 Last: 06.05.2026 12:48 Sources 1

About this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...

Open Happening

CanisterWorm self-propagation across npm packages

Malware Activity
H score36 First: 21.03.2026 09:28 Last: 21.03.2026 09:28 Sources 1

About this happening: A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...

Open Happening

GhostLoader RAT-stealer via @openclaw-ai/openclawai

Malware Activity
H score22 First: 09.03.2026 20:31 Last: 09.03.2026 20:31 Sources 1

About this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...

Open Happening

Timeline

  1. 09.09.2025 22:16 2 articles · 9mo ago

    Akamai finds Tor-based Docker API malware that blocks port 2375

    Technical Analysis Update

    Akamai researchers discovered updated malware targeting exposed Docker APIs that uses a Tor hidden service, downloads a second-stage script, installs scanning and evasion tools, and can block external access to compromised Docker API ports while supporting botnet-style self-replication and persistence on affected Docker hosts.

    Show sources
    Open in new tab