Akamai’s Hunt Team has identified a new strain of malware targeting misconfigured Docker APIs, expanding on a campaign first documented earlier this summer. Unlike earlier versions, which installed cryptocurrency miners, this variant focuses on blocking external access and installing persistence mechanisms, suggesting a larger objective.
From Cryptomining to Control
The first wave of this Docker-focused campaign was reported in June 2025 by Trend Micro. That variant exploited exposed Docker services to deploy a cryptominer delivered through a Tor domain, monetizing compromised servers quickly.
In its August honeypot activity, Akamai observed a shift. The new Docker malware no longer installs a miner. Instead, it:
- Blocks port 2375, the default Docker API port, to lock out other attackers
- Executes a Base64-encoded script to initiate its payload
- Gains access to the host filesystem for deeper control
- Installs persistence mechanisms to maintain access even after reboots
This behavior indicates that the operators may be building infrastructure for future campaigns rather than pursuing immediate cryptomining profits.
How Attackers Get In
The initial access vector remains unchanged: attackers scan for exposed Docker APIs left unsecured without authentication. Misconfigured Docker services continue to be a high-value target because they provide administrative access to containers and, by extension, the underlying host system.
(Image Source: Akamai)
Once inside, the malware executes scripts that install tooling for system monitoring and long-term persistence. By blocking port 2375, it effectively claims exclusive control of the compromised server, preventing rival malware operators from hijacking the same resource.
Why Blocking Rivals Matters
Cryptojacking campaigns often compete for resources, with multiple groups attempting to deploy miners on the same misconfigured servers. By blocking external access, this new strain secures the compromised infrastructure for future use.
Researchers believe the operators may be preparing for more sophisticated payloads such as ransomware, proxy networks, or DDoS botnets.
“This isn’t about quick wins,” Akamai’s team noted. “The malware authors are positioning themselves to use these systems as controlled assets in larger campaigns.”
Implications for Docker Security
The incident highlights ongoing weaknesses in Docker deployments. Many organizations continue to expose APIs without authentication or TLS, providing attackers with a direct path into production environments.
Once compromised, Docker hosts can serve as:
- Launchpads for lateral movement into enterprise networks
- Platforms for staging additional malware payloads
- Infrastructure for monetization schemes like proxies or DDoS-for-hire services
Because Docker is widely used in cloud-native environments, the risk extends beyond individual servers to entire application ecosystems.
Akamai’s Findings
Akamai’s honeypots recorded hundreds of exploitation attempts during August 2025. The researchers noted that the malware uses obfuscation and lightweight scripts to remain stealthy. Its reliance on Base64-encoded payloads also complicates analysis.
While attribution remains unclear, the campaign’s shift from mining to infrastructure control suggests a well-resourced group with longer-term objectives.
The new Docker malware variant shows how quickly attackers adapt their tactics. What began as a cryptojacking campaign has evolved into a control-oriented operation, where compromised servers are being secured for future malicious use.
For organizations, the case reinforces the importance of hardening Docker deployments and treating exposed APIs as critical vulnerabilities. For the broader industry, it is another reminder that supply chain and infrastructure-level attacks remain a growing frontier in cybersecurity.
