Kaspersky Security Services experts have identified a sophisticated cyberattack campaign targeting containerised environments to deploy a miner for the Dero cryptocurrency. The attackers abuse exposed Docker APIs – parts of Docker, an open-source container development platform.
In 2025, there are a significant number of Docker API default ports that are insecurely published, accounting for almost 500 occurrences worldwide on average each month. In the discovered campaign, cybercriminals inject two types of malware into the compromised systems: one is the miner itself; and the other is a propagation malware that can spread the campaign to other insecure container networks.
Kaspersky experts discovered this malicious campaign as part of a compromise assessment project. According to expert estimates, any organisation that operates containerised infrastructure – while exposing Docker APIs without robust security controls – can be a potential target. These may include technology companies, software development firms, hosting providers, cloud service providers, and more enterprises.
According to Shodan, in 2025, there are 485 published Docker API default ports worldwide each month on average. This figure illustrates the campaign’s potential attack surface by tallying the “entry points” – or insecurely exposed ports that attackers might target.
Once attackers identify an insecurely published Docker API, they either compromise existing containers or create new malicious ones based on a legitimate standard Ubuntu image. They then inject two malware types into the compromised containers: “nginx” and “cloud”. The latter is a Dero cryptocurrency miner, while “nginx” is a malicious software that maintains persistence, ensures execution of the miner, and scans for other exposed environments.
This malware allows attackers to operate without traditional Command-and-Control (C2) servers; instead, each infected container independently scans the Internet and can spread the miner to new targets.
“The campaign has the potential for exponential growth of infections, with each compromised container acting as a new source of attack if security measures are not immediately put in place in the potentially targeted networks,” explains Amged Wageh, an incident response and a compromise assessment expert at Kaspersky Security Services. “Сontainers are foundational to software development, deployment, and scalability. Their widespread use across cloud-native environments, DevOps, and microservices architectures makes them an attractive target for cyberattackers.
“This growing reliance demands organisations adopt a 360-degree approach to security – combining robust security solutions with proactive threat hunting and regular compromise assessments,” Wageh says.
The attackers embedded the names “nginx” and “cloud” directly in the binary – an inflexible executable file composed of instructions and data for the processor, not for humans. This is a classic masquerading tactic that lets the payload pose as a legitimate tool trying to deceive both analysts and automated defences.
To mitigate against container-related threats, Kaspersky recommends:
- Companies that use Docker APIs should immediately review the security of any potentially exposed infrastructure – specifically, refrain from publishing the Docker APIs unless there is an operational need and consider securing the published Docker APIs via TLS.
- Uncover active cyberattacks and previous unknown attacks that flew under the radar.
- Containerisation is the most popular application development method at the moment. But risks can emerge in each component of a container’s infrastructure and may heavily impact business processes. The protection of containerised environments is crucial and requires specialised security solutions. Kaspersky Container Security provides security for all stages of containerised application development. Besides the development process, the solution protects runtime – for example, it controls the launch of only trusted containers, the operation of the applications and services inside the containers and monitors the traffic.