New Malware Attack Leveraging Exposed Docker APIs to Maintain Persistent SSH Root Access

Cybersecurity

A new malware variant targeting exposed Docker APIs has been identified, showcasing advanced infection capabilities beyond traditional cryptomining activities.

First discovered in August 2025, this malware employs evolved tactics to establish persistent root access, simultaneously preventing other attackers from exploiting compromised systems.

This represents a significant evolution from a variant initially reported in June 2025.

The initial strain was primarily focused on cryptocurrency mining, utilizing Tor infrastructure. In contrast, the latest iteration demonstrates more complex behavior.

The attack begins by exploiting misconfigured Docker APIs accessible via the internet, specifically targeting port 2375, where Docker daemons are exposed without authentication.

The infection process involves creating malicious containers based on Alpine Linux images, which mount the host filesystem to gain privileged access.

A Base64-encoded payload is used to download and execute a shell script from a Tor hidden service, establishing multiple persistence mechanisms.

During honeypot monitoring, analysts identified this variant, noting distinct behavioral differences from previously documented attacks.

Advanced Persistence and Defense Evasion Mechanisms

The malware’s notable advancement lies in its approach to maintaining exclusive access to compromised infrastructure.

Upon initial compromise, it deploys a script named docker-init.sh, which implements multiple layers of persistence and defense.

The persistence mechanism involves appending an attacker-controlled SSH public key to /root/.ssh/authorized_keys, enabling direct root access bypassing normal authentication.

Additionally, a cron job executes every minute, blocking access to port 2375 across various firewall platforms, including iptables, ufw, firewall-cmd, pfctl, and nft.

PORT=2375
PROTOCOL=tcp
for fw in firewall-cmd ufw pfctl iptables nft; do
  if command -v "$fw" >/dev/null 2>&1; then
    case "$fw" in
      firewall-cmd)
        firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' port protocol='tcp' port='2375' reject"
        firewall-cmd --reload
    esac
  fi
done

This defensive measure prevents other malicious actors from exploiting the same vulnerability while maintaining the established foothold through SSH access.

The malware also installs tools for reconnaissance, such as masscan for network scanning and torsocks for anonymous communications.

These components enable the identification and compromise of additional vulnerable Docker instances, potentially leading to large-scale botnet operations.

The combination of persistent access, competitive exclusion, and propagation capabilities renders this malware a significant threat to containerized environments.