Kaspersky uncovers Dero crypto miner spreading via exposed container environments
Kaspersky Security Services experts have identified a sophisticated cyberattack campaign targeting containerized environments to deploy a miner for the Dero cryptocurrency. The attackers abuse exposed Docker APIs — parts of Docker, an open-source container development platform. In 2025, there are a significant number of Docker API default ports that are insecurely published, accounting for almost 500 occurrences worldwide on average each month. In the discovered campaign, cybercriminals inject two types of malwares into the compromised systems: one is the miner itself and the other is a propagation malware that can spread the campaign to other insecure container networks.
Kaspersky experts discovered this malicious campaign as part of a compromise assessment project. According to expert estimates, any organization that operates containerized infrastructure — while exposing Docker APIs without robust security controls — can be a potential target. These may include technology companies, software development firms, hosting providers, cloud service providers and more enterprises.
According to Shodan, in 2025, there are 485 published Docker API default ports worldwide each month on average. This figure illustrates the campaign's potential attack surface by tallying the 'entry points' — or insecurely exposed ports that attackers might target.
Once attackers identify an insecurely published Docker API, they either compromise existing containers or create new malicious ones based on a legitimate standard Ubuntu image. They then inject two malware types into the compromised containers: 'nginx' and 'cloud'. The latter is a Dero cryptocurrency miner, while 'nginx' is a malicious software that maintains persistence, ensures execution of the miner and scans for other exposed environments. This malware allows attackers to operate without traditional Command-and-Control (C2) servers; instead, each infected container independently scans the internet and can spread the miner to new targets.
An infection chain scheme
'The campaign has the potential for exponential growth of infections, with each compromised container acting as a new source of attack, if security measures are not immediately put in place in the potentially targeted networks,' explains Amged Wageh, an incident response and a compromise assessment expert at Kaspersky Security Services. 'Сontainers are foundational to software development, deployment, and scalability. Their widespread use across cloud-native environments, DevOps, and microservices architectures makes them an attractive target for cyber attackers. This growing reliance demands organizations adopt a 360-degree approach to security — combining robust security solutions with proactive threat hunting and regular compromise assessments'. The attackers embedded the names 'nginx' and 'cloud' directly in the binary — an inflexible executable file composed of instructions and data for the processor, not for humans. This is a classic masquerading tactic that lets the payload pose as a legitimate tool, trying to deceive both analysts and automated defenses. To mitigate against container-related threats, Kaspersky recommends: ● Companies that use Docker APIs should immediately review the security of any potentially exposed infrastructure — specifically, refrain from publishing the Docker APIs unless there is an operational need and consider securing the published Docker APIs via TLS. ● Uncover active cyberattacks and previous unknown attacks that flew under the radar with Kaspersky Compromise Assessment. ● Containerization is the most popular application development method at the moment. But risks can emerge in each component of a container's infrastructure and may heavily impact business processes. The protection of containerized environments is crucial and requires specialized security solutions. Kaspersky Container Security provides security for all stages of containerized application development. Besides the development process, the solution protects runtime, for example, it controls the launch of only trusted containers, the operation of the applications and services inside the containers and monitors the traffic. ● Adopt managed security services by Kaspersky such as Compromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers.
The full technical analysis is available on Securelist. Kaspersky products detect these malicious implants with the following verdicts: Trojan.Linux.Agent.gen and RiskTool.Linux.Miner.gen.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Biz Bahrain
43 minutes ago
- Biz Bahrain
Global travel made simple with Kaspersky eSIM Store
Kaspersky eSIM Store is a new connectivity solution for international travel. Designed to make it easier for leisure and business travelers to stay online globally, it empowers users with easy internet access across 150+ countries and regions, with a choice of over 2,000 affordable data plans. The production of eSIM-compatible devices has increased tenfold in the last five years according to the GSMA. By 2028, it is expected that half of all mobile connections worldwide will use eSIM technology. This rise in popularity is driven by eSIM's convenience and ease of use – eliminating the need for physical SIM cards and enabling a hassle-free experience wherever you go. To meet this growing trend, Kaspersky eSIM Store provides access to eSIM plans from local telecom operators all over the world – with an easy interface and simple management. A New Way to Always Stay Connected Kaspersky eSIM Store lets users to enjoy affordable and easily accessible internet connections around the globe without the hassle of physical SIM cards. Users can seamlessly access eSIM plans from local telecom providers in 150+ countries and regions worldwide, providing favorable rates and transparent conditions without any roaming fees. While traveling, an eSIM can help users avoid high roaming costs on a primary SIM, remove the need to search for a local SIM kiosk and share personal data with them, as well as avoiding the use of unsecured public Wi-Fi networks. Instead, eSIM ensures that leisure travelers can focus on the joyful moments of their trip and instantly share them with friends and relatives, while business travelers have continuous access to important messages, working documents and video calls. Seamless Connection in a Few Taps Kaspersky eSIM Store features a user-friendly interface for plan selection, purchase, top-ups, and data usage management. Travelers can choose their preferred activation date, allowing them to set up their eSIM in advance and be connected the moment their trip begins — all in just a few taps. To match the needs of any traveler, there are many flexible ways to choose and manage data plans. Options are available based on destination, including plans for specific countries, global plan 122 destinations, or mini-global plans tailored to specific regions. For trip duration, travelers can select between expiring plans valid for a fixed period or non-expiring plans that remain active until the data is fully used. This ensures convenience whether the trip is short or long. Additionally, users have control over when their plan starts. They can either schedule activation for a specific date or begin using the data immediately, providing flexibility to align with their travel schedule. To ensure users never run out of GB unexpectedly, Kaspersky eSIM Store provides real-time data usage monitoring and alerts when a balance is near zero. The user profile (on the webpage or in the app) allows quick top-ups and supports multiple countries on a single eSIM – install once and use for a lifetime. Kaspersky eSIM Store is launched in partnership with award-winning provider BNESIM Limited, which has been delivering global eSIM services since 2017. 'At Kaspersky we are constantly keeping up with latest trends shaping our digital habits, and eSIM is definitely one of them. eSIM technology greatly simplifies traveling abroad, allowing people to stay connected and not worry about issues like roaming charges. We know from our own experience how important it is to stay in touch with your family or colleagues when you are on a trip, so we designed Kaspersky eSIM Store for all types of travelers to ensure instant access to eSIM data plans wherever they go, as well as to provide a safe and positive digital experience,' – Mikhail Gerber, Executive Vice President, Consumer Business, Kaspersky. Kaspersky eSIM Store is now available on the official website and as a mobile app in App Store and Google Play. Kaspersky eSIM Store complements Kaspersky's wide range of industry-recognized solutions, such as Kaspersky VPN Secure Connection and Kaspersky Premium. Together they cover all modern connectivity needs and enhance digital freedom – ensuring safe, worry-free connectivity across the world.
Biz Bahrain
a day ago
- Biz Bahrain
Kaspersky uncovers Dero crypto miner spreading via exposed container environments
Kaspersky Security Services experts have identified a sophisticated cyberattack campaign targeting containerized environments to deploy a miner for the Dero cryptocurrency. The attackers abuse exposed Docker APIs — parts of Docker, an open-source container development platform. In 2025, there are a significant number of Docker API default ports that are insecurely published, accounting for almost 500 occurrences worldwide on average each month. In the discovered campaign, cybercriminals inject two types of malwares into the compromised systems: one is the miner itself and the other is a propagation malware that can spread the campaign to other insecure container networks. Kaspersky experts discovered this malicious campaign as part of a compromise assessment project. According to expert estimates, any organization that operates containerized infrastructure — while exposing Docker APIs without robust security controls — can be a potential target. These may include technology companies, software development firms, hosting providers, cloud service providers and more enterprises. According to Shodan, in 2025, there are 485 published Docker API default ports worldwide each month on average. This figure illustrates the campaign's potential attack surface by tallying the 'entry points' — or insecurely exposed ports that attackers might target. Once attackers identify an insecurely published Docker API, they either compromise existing containers or create new malicious ones based on a legitimate standard Ubuntu image. They then inject two malware types into the compromised containers: 'nginx' and 'cloud'. The latter is a Dero cryptocurrency miner, while 'nginx' is a malicious software that maintains persistence, ensures execution of the miner and scans for other exposed environments. This malware allows attackers to operate without traditional Command-and-Control (C2) servers; instead, each infected container independently scans the internet and can spread the miner to new targets. An infection chain scheme 'The campaign has the potential for exponential growth of infections, with each compromised container acting as a new source of attack, if security measures are not immediately put in place in the potentially targeted networks,' explains Amged Wageh, an incident response and a compromise assessment expert at Kaspersky Security Services. 'Сontainers are foundational to software development, deployment, and scalability. Their widespread use across cloud-native environments, DevOps, and microservices architectures makes them an attractive target for cyber attackers. This growing reliance demands organizations adopt a 360-degree approach to security — combining robust security solutions with proactive threat hunting and regular compromise assessments'. The attackers embedded the names 'nginx' and 'cloud' directly in the binary — an inflexible executable file composed of instructions and data for the processor, not for humans. This is a classic masquerading tactic that lets the payload pose as a legitimate tool, trying to deceive both analysts and automated defenses. To mitigate against container-related threats, Kaspersky recommends: ● Companies that use Docker APIs should immediately review the security of any potentially exposed infrastructure — specifically, refrain from publishing the Docker APIs unless there is an operational need and consider securing the published Docker APIs via TLS. ● Uncover active cyberattacks and previous unknown attacks that flew under the radar with Kaspersky Compromise Assessment. ● Containerization is the most popular application development method at the moment. But risks can emerge in each component of a container's infrastructure and may heavily impact business processes. The protection of containerized environments is crucial and requires specialized security solutions. Kaspersky Container Security provides security for all stages of containerized application development. Besides the development process, the solution protects runtime, for example, it controls the launch of only trusted containers, the operation of the applications and services inside the containers and monitors the traffic. ● Adopt managed security services by Kaspersky such as Compromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers. The full technical analysis is available on Securelist. Kaspersky products detect these malicious implants with the following verdicts: and
Biz Bahrain
4 days ago
- Biz Bahrain
New malware posing as an AI assistant steals user data
Kaspersky Global Research & Analysis Team researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs. The previously unknown malware is delivered via a phishing site pretending to be the official DeepSeek homepage that is promoted via Google Ads. The goal of the attacks is to install BrowserVenom, a malware that configures web browsers on the victim's device to channel web traffic through the attackers servers, thus allowing to collect user data – credentials and other sensitive information. Multiple infections have been detected in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt. DeepSeek-R1 is one of the most popular LLMs right now, and Kaspersky has previously reported attacks with malware mimicking it to attract victims. DeepSeek can also be run offline on PCs using tools like Ollama or LM Studio, and attackers used this in their campaign. Users were directed to a phishing site mimicking the address of the original DeepSeek platform via Google Ads, with the link showing up in the ad when a user searched for 'deepseek r1'. Once the user reached the fake DeepSeek site, a check was performed to identify the victim's operating system. If it was Windows, the user was presented with a button to download the tools for working with the LLM offline. Other operating systems were not targeted at the time of research. After clicking on the button and passing the CAPTCHA test, a malicious installer file was downloaded and the user was presented with options to download and install Ollama or LM Studio. If either option was chosen, along with legitimate Ollama or LM Studio installers, malware got installed in the system bypassing Windows Defender's protection with a special algorithm. This procedure also required administrator privileges for the user profile on Windows; if the user profile on Windows did not have these privileges, the infection would not take place. After the malware was installed, it configured all web browsers in the system to forcefully use a proxy controlled by the attackers, enabling them to spy on sensitive browsing data and monitor the victim's browsing activity. Because of its enforcing nature and malicious intent, Kaspersky researchers have dubbed this malware BrowserVenom. 'While running large language models offline offers privacy benefits and reduces reliance on cloud services, it can also come with substantial risks if proper precautions aren't taken. Cybercriminals are increasingly exploiting the popularity of open-source AI tools by distributing malicious packages and fake installers that can covertly install keyloggers, cryptominers, or infostealers. These fake tools compromise a user's sensitive data and pose a threat, particularly when users have downloaded them from unverified sources,' comments Lisandro Ubiedo, Security Researcher with Kaspersky's Global Research & Analysis Team. To avoid such threats, Kaspersky recommends: • Check the addresses of the websites to verify that they are genuine and avoid scam. • Download offline LLM tools only from official sources (e.g., • Avoid using Windows on a profile with admin privileges. • Use trusted cyber security solutions to prevent malicious files from launching.
