Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs to spread malicious containers and mine Dero cryptocurrency.

Dubbed a “Docker zombie outbreak” by cybersecurity researchers at Kaspersky, this attack leverages a self-replicating propagation mechanism to transform compromised containers into “zombies” that mine cryptocurrency and infect new victims.

The campaign, detected during a recent compromise assessment, showcases an alarming degree of automation, requiring no command-and-control (C2) server as it spreads exponentially across vulnerable networks worldwide.

A New Threat in Containerized Environments

The attack begins when a threat actor exploits an exposed Docker API, typically over port 2375, to gain access to a containerized environment.

Once inside, two Golang-based, UPX-packed malware implants are deployed: a propagation malware masquerading as “nginx” (detected as Trojan.Linux.Agent.gen) and a Dero cryptocurrency miner named “cloud” (detected as RiskTool.Linux.Miner.gen).

The nginx malware is the orchestrator, ensuring persistence and propagation by logging activities in “/var/log/nginx.log” and maintaining a version marker in “/usr/bin/version.dat” to identify infected containers.

It relentlessly scans random IPv4 /16 subnets using the masscan tool to locate other vulnerable Docker APIs, creates new malicious containers with names of 12 random characters, and compromises existing Ubuntu 18.04-based containers on remote hosts.

Each new container is equipped with dependencies like masscan and docker.io, and the malware implants are copied over to sustain the infection cycle.

Automated Infection Chain Unleashes Chaos

The cloud miner, derived from the open-source DeroHE CLI project, operates with hardcoded, encrypted configurations, including a wallet address (dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y) and derod node addresses (d.windowsupdatesupport[.]link and h.wiNdowsupdatesupport[.]link), decrypted via AES-CTR during execution.

This miner hijacks the host’s resources for Dero mining while nginx ensures its continuous operation by restarting it if interrupted.

Unlike earlier campaigns targeting Kubernetes clusters with stealthy tactics, this attack prioritizes aggressive lateral movement, scanning and infecting new networks without hesitation.

Shodan data from April 2025 reveals 520 exposed Docker APIs globally, underscoring the vast potential for destruction posed by this threat.

The absence of a C2 server makes this campaign particularly insidious, as it operates autonomously, relying solely on the availability of insecure Docker APIs to propagate.

According to the Report, Kaspersky emphasizes the importance of robust monitoring and proactive threat hunting to combat such attacks, recommending tools like Kaspersky Container Security to detect misconfigurations and monitor registry images.

As containerized environments become increasingly prevalent, this Docker zombie malware serves as a stark reminder that runtime security is just as critical as building from trusted images.

Organizations must prioritize securing their Docker APIs and implementing comprehensive protection strategies to prevent falling victim to this self-replicating digital plague.

Indicators of Compromise (IoC)