A newly uncovered malware campaign is exploiting unsecured Docker environments across the globe, silently enrolling them into a decentralized cryptojacking network that mines the privacy-focused cryptocurrency, Dero.
Cybersecurity firm Kaspersky reports that the attack initiates by targeting exposed Docker APIs on port 2375. Once compromised, the attacker deploys malicious containers and infects existing ones, using system resources to mine Dero and search for other vulnerable hosts — all without relying on a central command-and-control server.
For context, Docker is a platform that uses OS-level virtualization to run applications in lightweight units called containers.
The attackers utilize two implants developed in Golang: one dubbed “nginx,” mimicking the popular web server, and another called “cloud,” which is the actual mining software.
Once a system is breached, the “nginx” component continuously scans the internet for additional misconfigured Docker nodes, using tools like Masscan to identify targets and propagate infection through new containers.
“The entire campaign behaves like a zombie container outbreak,” researchers noted. “One infected node autonomously creates new zombies to mine Dero and spread further. No external control is needed — just more misconfigured Docker endpoints.”
To stay hidden, the malware encrypts crucial data like wallet addresses and Dero nodes, and disguises itself under file paths commonly used by legitimate system processes.
Kaspersky has linked the infrastructure — including the wallet and Dero node — to previous cryptojacking campaigns that targeted Kubernetes clusters in 2023 and 2024. This points to an evolved version of an existing threat rather than an entirely new operation.
What sets this campaign apart is its worm-like behavior and the lack of centralized coordination, making it especially difficult to detect and eliminate.
As of early May, more than 520 Docker APIs were found to be publicly exposed on port 2375 — each a potential victim of this growing malware network.