Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs.
Akamai, which discovered the latest activity last month, said it's designed to block other actors from accessing the Docker API from the internet.
The findings build on a prior report from Trend Micro in late June 2025, which uncovered a malicious campaign that targeted exposed Docker instances to stealthily drop an XMRig cryptocurrency miner using a TOR domain for anonymity.
"This new strain seems to use similar tooling to the original, but may have a different end goal – including possibly setting up the foundation of a complex botnet," security researcher Yonatan Gilvarg said.
The attack chain essentially involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. This is followed by the threat actors running a Base64-encoded payload to download a shell script downloader from a .onion domain.
The script, besides altering SSH configurations to set up persistence, also installs other tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks to conduct reconnaissance, contact a command-and-control (C2) server, and download a compressed binary from a second .onion domain.
"The first file that is downloaded is a dropper written in Go that includes the content it wants to drop, so it won't communicate out to the internet," Gilvarg explained. "Except for dropping another binary file, it parses the utmp file to find who is currently logged in to the machine."
Interestingly, the binary file's source code includes an emoji to depict users who are signed in to the system. This indicates that the artifact may have been crafted using a large language model (LLM).
The dropper also launches Masscan to scan the internet for open Docker API services at port 2375 and propagate the infection to those machines by repeating the same process of creating a container with the Base64 command.
Furthermore, the binary includes checks for two more ports: 23 (Telnet) and 9222 (remote debugging port for Chromium browsers), although the functionality to spread via those ports is yet to be fully fleshed out.
The Telnet attack method entails using a set of known, default routers and device credentials to brute-force logins and exfiltrate successful sign-in attempts to a webhook[.]site endpoint with details about the destination IP address and victim authentication credentials.
In the case of port 9222, the malware utilizes a Go library named chromedp to interact with the web browser. It has been previously weaponized by North Korean threat actors to communicate with C2 servers and even by stealer malware to bypass Chrome's app-bound encryption, connect remotely to Chromium sessions, and siphon cookies and other private data.
It then proceeds to attach to an existing session with the open remote port and ultimately send a POST to the same .onion domain used to retrieve the shell script downloader with information about the source IP address on which the malware is and the destination it found access to on port 9222.
The details are transmitted to an endpoint named "httpbot/add," raising the possibility that devices with exposed remote debugging ports for Chrome/Chromium could be enlisted into a botnet for delivering additional payloads that can steal data or be used to conduct distributed denial-of-service (DDoS) attacks.
"As the malware only scans for port 2375, the logic for handling ports 23 and 9222 is currently unreachable and will not be executed," Gilvarg said. "However, the implementation exists, which may indicate future capabilities."
"Attackers can gain significant control over systems affected by abused APIs. The importance of segmenting networks, limiting exposure of services to the internet, and securing default credentials cannot be overstated. By adopting these measures, organizations can significantly reduce their vulnerability to such threats."
Wiz Flags AWS SES Abuse Campaign
The disclosure comes as cloud security firm Wiz detailed an Amazon Simple Email Service (SES) campaign in May 2025 that leveraged compromised Amazon Web Services (AWS) access keys as a launchpad for a mass phishing attack.
It's currently not known how the keys were obtained. However, various methods exist by which an attacker can accomplish this: accidental public exposure in code repositories or through misconfigured assets, or theft from a developer workstation using stealer malware.
"The attacker used the compromised key to access the victim's AWS environment, bypass SES's built-in restrictions, verify new 'sender' identities, and methodically prepare and conduct a phishing operation," Wiz researchers Itay Harel and Hila Ramati said.
Wiz, which further probed the phishing campaign in partnership with Proofpoint, said the emails targeted several organizations spanning multiple geographies and sectors, and employed tax-themed lures to redirect recipients to credential harvesting pages.
"If SES is configured in your account, attackers can send email from your verified domains," Wiz cautioned. "Beyond brand damage, this enables phishing that looks like it came from you and can be used for spearphishing, fraud, data theft, or masquerading in business processes."
