TOR-based cryptojacking campaign targeting exposed Docker APIs
Campaign
Summary
Hide ▲
Show ▼
A TOR-based cryptojacking campaign is abusing misconfigured Docker APIs to launch containers, drop a downloader/miner chain, and spread to additional exposed hosts. The operation also installs Masscan and related tooling to scan for more Docker API services, raising the risk of broader propagation and possible botnet formation. The activity builds on a late June 2025 report and was discovered by Akamai last month.
Related Happenings
TroyDen's Lure Factory GitHub Trojanized package campaign
Campaign
First: 24.03.2026 16:59
Last: 24.03.2026 16:59
Sources 1
About this happening:
The **TroyDen's Lure Factory** campaign is distributing **300+ Trojanized GitHub packages**, broadening supply-chain risk for **developers, gamers, and the general public**. One o...
TroyDen's Lure Factory GitHub Trojanized package campaign
CampaignAbout this happening: The **TroyDen's Lure Factory** campaign is distributing **300+ Trojanized GitHub packages**, broadening supply-chain risk for **developers, gamers, and the general public**. One o...
TeamPCP cloud-native exploitation campaign
Campaign
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
About this happening:
**TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...
TeamPCP cloud-native exploitation campaign
CampaignAbout this happening: **TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...
Latest development: 23.03.2026 10:31
Researchers uncovered malicious Trivy Docker Hub image tags 0.69.4, 0.69.5, and 0.69.6 tied to TeamPCP; 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. The same reporting says TeamPCP used a compromised service account token to deface all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix and exposing them publicly.
Docker Ask Gordon AI assistant Meta-Context Injection security flaw
Vulnerability
First: 03.02.2026 17:15
Last: 03.02.2026 17:15
Sources 1
About this happening:
**Docker's Ask Gordon AI assistant** is affected by **Meta-Context Injection**, where unverified metadata can be turned into executable instructions. The flaw creates **critical R...
Docker Ask Gordon AI assistant Meta-Context Injection security flaw
VulnerabilityAbout this happening: **Docker's Ask Gordon AI assistant** is affected by **Meta-Context Injection**, where unverified metadata can be turned into executable instructions. The flaw creates **critical R...
Docker Desktop 4.50.0 Ask Gordon security update
Security Patch Release
First: 03.02.2026 17:15
Last: 03.02.2026 17:15
Sources 1
About this happening:
Docker released **Docker Desktop 4.50.0** to address a critical **Ask Gordon** flaw that could turn **unverified metadata** into executable instructions. The update matters becaus...
Docker Desktop 4.50.0 Ask Gordon security update
Security Patch ReleaseAbout this happening: Docker released **Docker Desktop 4.50.0** to address a critical **Ask Gordon** flaw that could turn **unverified metadata** into executable instructions. The update matters becaus...
VoidLink analysis reveals Kubernetes/Docker checks and modular anti-analysis behavior
Technical Analysis
First: 14.01.2026 00:12
Last: 14.01.2026 00:12
Sources 1
About this happening:
**VoidLink** is a **Linux C2 framework** built for **cloud and container environments**, with **multi-cloud targeting** across **AWS, Google Cloud Platform, Microsoft Azure, Aliba...
VoidLink analysis reveals Kubernetes/Docker checks and modular anti-analysis behavior
Technical AnalysisAbout this happening: **VoidLink** is a **Linux C2 framework** built for **cloud and container environments**, with **multi-cloud targeting** across **AWS, Google Cloud Platform, Microsoft Azure, Aliba...
Timeline
-
09.09.2025 22:16 1 articles · 8mo ago
Akamai identifies botnet-style tooling in exposed Docker API campaign
Campaign Scope UpdateAkamai warned on September 8, 2025 that a new exposed-Docker-API campaign variation blocks external access to compromised Docker APIs and appears to be an initial version of a complex botnet. The tooling downloads system-linux-ARCH.zst over Tor, decompresses it to /tmp/system, persists access by appending an attacker key to /root/.ssh/authorized_keys, and installs masscan, zstd, libpcap, and torsocks for scanning, propagation, and evasion. The payload also contains dormant logic for Telnet exploitation using default router credentials and interaction with Chrome’s remote debugging interface.
Show sources
- Hackers hide behind Tor in exposed Docker API breaches — www.bleepingcomputer.com — 09.09.2025 22:16
-
09.09.2025 13:02 1 articles · 8mo ago
Initial report: TOR-based cryptojacking campaign targeting exposed Docker APIs
Initial DisclosureThe operation starts by abusing **exposed Docker APIs** to create an **Alpine** container and mount the host filesystem. It then uses a **Base64-encoded** command to download a shell script from a **.onion** domain and set up persistence.
Show sources
- TOR-Based Cryptojacking Attack Expands Through Misconfigured Docker APIs — thehackernews.com — 09.09.2025 13:02