Self-Replicating Zombie Malware Targets Docker

Unsecured Docker containers are hijacked by malware that spreads autonomously, creating a zombie network mining the privacy-focused cryptocurrency Dero.

A new cryptojacking campaign is turning unsecured Docker containers into a fast-spreading zombie network that mines the privacy-focused cryptocurrency Dero. The malware spreads on its own, without a command-and-control server, making it harder to stop.

Researchers at Kaspersky discovered the infection during a routine security assessment. “We detected a number of running containers with malicious activities,” they said.

The attack begins when exposed Docker APIs are found online. Once one is breached, the malware creates new malicious containers and hijacks existing ones—turning them into “zombies” that mine Dero and infect others.

The attack uses two Golang-based malware implants, both hidden with UPX packing: one is named nginx (not to be confused with the legitimate web server), and the other is the cloud Dero miner. Kaspersky identified them as Trojan.Linux.Agent.gen and RiskTool.Linux.Miner.gen.

The nginx malware fakes being a legitimate web tool and keeps the miner running while constantly scanning the internet for new targets. It looks for Docker APIs open on port 2375 and uses tools like masscan to detect them. Once it finds a vulnerable system, it deploys a fake Ubuntu container and installs the malware.

It also tries to take over existing containers by checking for a special file, version.dat. If the file is missing, it installs the malware and starts mining.

The cloud miner hides its wallet and server addresses using encrypted strings. Once decrypted, researchers traced them back to past attacks on Kubernetes clusters.

“This implant is designed to minimize interaction with the operator,” the report says, warning that similar campaigns may still be active.

Security experts warn that as long as Docker APIs are exposed online without protection, such cryptojacking campaigns will continue. s should secure their Docker environments by disabling open APIs and tightening network access controls.