Attackers Abuse Docker APIs And Tor To Launch Cloud Cryptojacking

HomeNews* Attackers are exploiting misconfigured Docker APIs to mine cryptocurrency in cloud environments.

• They use the Tor network to hide their activities while deploying crypto miners.
• Attackers gain access, create new containers, and mount critical system directories, risking container escapes.
• The attack involves installing tools and scripts to set up remote access, collect data, and install the XMRig miner.
• Recent findings show hundreds of leaked credentials in public code repositories, exposing companies to further risk. An active campaign is targeting misconfigured Docker instances to secretly mine cryptocurrency, according to findings by Trend Micro researchers released in June 2025. Attackers reportedly exploit misconfigured Docker APIs, using the Tor network to remain anonymous as they deploy crypto mining tools onto vulnerable cloud-hosted containers.

• Advertisement - Researchers observed that the attack typically starts with a request to the Docker API to retrieve a list of containers on the host. If no containers exist, the attackers create a new container using the "alpine" image and mount the host system’s root directory as a shared volume. This step can allow attackers to bypass container isolation and access files on the host machine, raising the risk of broader system compromise.

Trend Micro states that after establishing a new container, the attackers run a Base64-encoded shell script to install Tor within the container. They then download and execute a remote script hosted on a .onion address, using tools and settings such as "socks5h" to route all traffic through Tor. According to the researchers, "It reflects a common tactic used by attackers to hide command-and-control (C&C) infrastructure, avoid detection, and deliver Malware or miners within compromised cloud or container environments," adding that this method complicates efforts to trace the origin of the attack.

Once the environment is set up, the attackers deploy a shell script named "docker-init.sh." This script checks if the "/hostroot" directory is mounted, changes SSH configurations to enable root logins, and adds an attacker’s SSH key for future access. Additional tools, such as masscan and torsocks, are installed, allowing the attackers to scan networks and further evade detection. The attack culminates with the installation of an XMRig cryptocurrency miner, configured with wallet addresses and mining pools controlled by the threat actors.

Trend Micro notes that this activity primarily targets technology, financial, and healthcare sectors. The company also highlights a related security risk after Wiz discovered that hundreds of sensitive credentials have surfaced in public repositories, including files in Python notebooks and application configuration files, with affected organizations ranging from startups to Fortune 100 companies. The researchers caution that results from code execution in shared Python notebooks can reveal valuable information to attackers capable of linking it back to their sources.

The trend underscores the importance of securing cloud and container environments, especially as attackers continue to automate exploits and look for exposed credentials across public code repositories.

Previous Articles:

• Mastercard joins Paxos Global Dollar Network to boost stablecoins
• Crypto Markets Rally as Trump Brokers Iran-Israel Ceasefire
• Federal Reserve Drops ‘Reputational Risk’ in Bank Supervision
• Fort Myers Officials Crack Down on Rising Crypto ATM Scams on Seniors
• ETH Jumps 8% After Trump Announces Israel-Iran Ceasefire

• Advertisement -