New Malware Exploits Exposed Docker APIs to Gain Persistent Root SSH Access

Cybersecurity

The Akamai Hunt Team has identified a new malware strain targeting exposed Docker APIs, showing expanded infection capabilities.

Overview

Initially detected in August 2025, this variant blocks other attackers from accessing the Docker API and delivers a modular payload instead of a cryptominer. The findings highlight the rapid evolution of threat actors, from hijacking Docker hosts to potentially establishing a botnet framework.

Initial Threat Vector

In June 2025, malware was reported exploiting unsecured Docker APIs on port 2375, using Tor-based downloads to deploy cryptocurrency miners. The initial campaign aimed to hijack compute cycles for cryptomining under Tor anonymity.

• Installed curl and torsocks.
• Retrieved an XMRig miner binary.
• Modified /etc/ssh/sshd_config to permit root login.
• Added an attacker’s public key to /root/.ssh/authorized_keys.
• Scheduled a cron job for SSH persistence and miner execution.

Akamai’s Variant: Expanded Capabilities

Persistent SSH Root Access and API Lockdown

Akamai observed HTTP requests to Docker APIs attempting container creation. The payload installed Tor, retrieved a docker-init.sh script, and executed it on the host. Key distinctions include:

• SSH Persistence: Appends attacker’s ECDSA key to /hostroot/root/.ssh/authorized_keys and reconfigures sshd for root logins.
• API Access Denial: A cron job blocks port 2375, preventing other attackers from exploiting the same API.
• Modular Payload Delivery: Deploys a Go-based dropper and secondary binaries for further reconnaissance.

The Go dropper identifies logged-in users, and the secondary binary:

• Scans for additional exposed Docker APIs (port 2375).
• Includes dormant Telnet (port 23) and Chrome Debugging (port 9222) modules.
• Posts scan results to a Tor-hosted C2 endpoint, suggesting a modular botnet architecture.

Detection and Mitigation

Detection techniques for this malware include:

• Monitoring Docker API interactions for installer and downloader commands.
• Alerting on connections to ports 2375, 9222, and 23 from untrusted networks.
• Inspecting new containers for host filesystem mounts or Base64-encoded commands.
• Tracking abnormal Tor or onion-domain network traffic.
• Detecting sudden cessation of service listeners on expected ports.

To reduce exposure and risk:

• Network Segmentation: Restrict Docker API access to trusted subnets.
• Minimize Exposed Services: Avoid binding Docker, Chrome debugger, or Telnet ports to public interfaces.
• Secure Default Credentials: Rotate default passwords and change Telnet/SSH defaults immediately.
• Least Privilege: Run Docker daemons under non-root users and enforce strict API authentication.

This new Docker-API malware variant underscores the speed at which adversaries adapt known exploits. By combining SSH root backdoors, API lockdown tactics, and modular payloads, the threat actor has elevated a simple cryptominer campaign into a multi-stage intrusion framework. Continuous threat hunting is essential for early detection and remediation.