Kaspersky uncovers Dero crypto miner spreading via exposed container environments
Kaspersky Security Services experts have identified a sophisticated cyberattack campaign targeting containerized environments to deploy a miner for the Dero cryptocurrency. The attackers abuse exposed Docker APIs — parts of Docker, an open-source container development platform. In 2025, there are a significant number of Docker API default ports that are insecurely published, accounting for almost 500 occurrences worldwide on average each month. In the discovered campaign, cybercriminals inject two types of malwares into the compromised systems: one is the miner itself and the other is a propagation malware that can spread the campaign to other insecure container networks.
Kaspersky experts discovered this malicious campaign as part of a compromise assessment project. According to expert estimates, any organization that operates containerized infrastructure — while exposing Docker APIs without robust security controls — can be a potential target. These may include technology companies, software development firms, hosting providers, cloud service providers and more enterprises.
According to Shodan, in 2025, there are 485 published Docker API default ports [1] worldwide each month on average. This figure illustrates the campaign's potential attack surface by tallying the 'entry points' — or insecurely exposed ports that attackers might target.
Once attackers identify an insecurely published Docker API, they either compromise existing containers or create new malicious ones based on a legitimate standard Ubuntu image. They then inject two malware types into the compromised containers: 'nginx' and 'cloud'. The latter is a Dero cryptocurrency miner, while 'nginx' is a malicious software that maintains persistence, ensures execution of the miner and scans for other exposed environments. This malware allows attackers to operate without traditional Command-and-Control (C2) servers; instead, each infected container independently scans the internet and can spread the miner to new targets.
An infection chain scheme
'The campaign has the potential for exponential growth of infections, with each compromised container acting as a new source of attack, if security measures are not immediately put in place in the potentially targeted networks,' explains Amged Wageh, an incident response and a compromise assessment expert at Kaspersky Security Services. 'Сontainers are foundational to software development, deployment, and scalability. Their widespread use across cloud-native environments, DevOps, and microservices architectures makes them an attractive target for cyber attackers. This growing reliance demands organizations adopt a 360-degree approach to security — combining robust security solutions with proactive threat hunting and regular compromise assessments'.
The attackers embedded the names 'nginx' and 'cloud' directly in the binary — an inflexible executable file composed of instructions and data for the processor, not for humans. This is a classic masquerading tactic that lets the payload pose as a legitimate tool, trying to deceive both analysts and automated defenses.
To mitigate against container-related threats, Kaspersky recommends:
Companies that use Docker APIs should immediately review the security of any potentially exposed infrastructure — specifically, refrain from publishing the Docker APIs unless there is an operational need and consider securing the published Docker APIs via TLS.
Uncover active cyberattacks and previous unknown attacks that flew under the radar with Kaspersky Compromise Assessment.
Containerization is the most popular application development method at the moment. But risks can emerge in each component of a container's infrastructure and may heavily impact business processes. The protection of containerized environments is crucial and requires specialized security solutions. Kaspersky Container Security provides security for all stages of containerized application development. Besides the development process, the solution protects runtime, for example, it controls the launch of only trusted containers, the operation of the applications and services inside the containers and monitors the traffic.
Adopt managed security services by Kaspersky such as C ompromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers.
The full technical analysis is available on Securelist. Kaspersky products detect these malicious implants with the following verdicts: Trojan.Linux.Agent.gen and RiskTool.Linux.Miner.gen.
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Crypto Insight
3 hours ago
- Crypto Insight
Bitcoin mining difficulty falls slightly from recent all-time high
Bitcoin's mining difficulty fell slightly on Saturday after hitting an all-time high of 126.9 trillion on May 31 at the start of the previous difficulty adjustment period. The Bitcoin mining difficulty level currently stands at roughly 126.4 trillion, according to data from CryptoQuant. Higher mining difficulty and network hashrate, which is a separate but related measure of the total computing power securing the Bitcoin protocol, both translate into increased miner competition and higher production costs. Miners continue to face financial pressures from the reduced block reward following the April 2024 halving, rising operational costs, and increased mining difficulty, which have changed the calculus for mining companies struggling to remain profitable. Publicly traded mining companies buck trend Despite the challenges miners within the highly competitive industry face, some publicly traded Bitcoin mining companies are expanding their operational capacity and choosing to retain their mined BTC as a treasury asset. Mining firm MARA announced that it increased BTC output by 35% in May, amid a record-level hashrate and market volatility. On April 5, Bitcoin's network hashrate crossed 1 zetahash per second (ZH/s) in computing power — a significant milestone for the decentralized monetary protocol. Despite this, MARA announced that it mined 950 Bitcoin in May and increased its corporate treasury reserves to 49,179 BTC, making it one of the largest Bitcoin holders in the world. 'Record production month for MARA — and we sold zero Bitcoin,' the company's chief financial officer Salman Khan wrote in a June 3 X post. CleanSpark, a public Bitcoin miner focused on securing the network through clean energy, also increased its BTC production in May 2025. The company mined 694 BTC during the month, a 9% increase over production in April, bringing its total reserves to 12,502 BTC, according to its monthly report. 'We increased our month-end hashrate to 45.6 exahashes per second (EH/s), up 7.5% sequentially,' CleanSpark president and CEO Zack Bradford wrote in the May update. The growing trend of mining companies accumulating Bitcoin as a treasury asset also represents a significant shift in business strategy for mining firms that have traditionally sold their coins to cover operational costs. Source:
Zawya
4 hours ago
- Zawya
Trump Media seeks SEC approval for bitcoin and ethereum ETF
Trump Media & Technology Group is seeking to launch an exchange-traded fund that will invest in both bitcoin and ethereum, the two largest cryptocurrencies, according to a filing with the U.S. Securities and Exchange Commission on Monday. This marks the second cryptocurrency ETF filing from the social media company associated with President Donald Trump in less than two weeks. If approved, the Truth Social Bitcoin ETF and the Truth Social Bitcoin & Ethereum ETF would join a crowded and competitive market already dominated by a handful of established asset managers such as BlackRock, whose iShares Bitcoin ETF has $72.5 billion in assets. "It will be a challenge for any new entrant in this market," said Bryan Armour, ETF analyst at Morningstar. "The only way to stand out will be through fees or brand." The filing for the new bitcoin and ethereum ETF does not disclose proposed fees, and Trump Media has yet to reveal fees for the bitcoin ETF. Similar products have fees of 0.12%. Trump Media representatives did not immediately respond to a request for comment. Armour noted that the latest filing spells out a specific allocation ratio between bitcoin and ethereum. The issuer, Yorkville America Digital, said it initially anticipates holding three bitcoins for every ethereum token in the ETF. "There is little that is different about this new venture other than the way it could be marketed," said Sui Chung, CEO and chairman of CF Benchmarks. "Given Truth Social's involvement, it may very well be that (these) are marketed directly to individual investors and that this ends up getting attention from those investors in the same way that people who love their iPhones buy Apple stock."
Zawya
4 hours ago
- Zawya
Kaspersky uncovers Dero crypto miner spreading via exposed container environments
Kaspersky Security Services experts have identified a sophisticated cyberattack campaign targeting containerized environments to deploy a miner for the Dero cryptocurrency. The attackers abuse exposed Docker APIs — parts of Docker, an open-source container development platform. In 2025, there are a significant number of Docker API default ports that are insecurely published, accounting for almost 500 occurrences worldwide on average each month. In the discovered campaign, cybercriminals inject two types of malwares into the compromised systems: one is the miner itself and the other is a propagation malware that can spread the campaign to other insecure container networks. Kaspersky experts discovered this malicious campaign as part of a compromise assessment project. According to expert estimates, any organization that operates containerized infrastructure — while exposing Docker APIs without robust security controls — can be a potential target. These may include technology companies, software development firms, hosting providers, cloud service providers and more enterprises. According to Shodan, in 2025, there are 485 published Docker API default ports [1] worldwide each month on average. This figure illustrates the campaign's potential attack surface by tallying the 'entry points' — or insecurely exposed ports that attackers might target. Once attackers identify an insecurely published Docker API, they either compromise existing containers or create new malicious ones based on a legitimate standard Ubuntu image. They then inject two malware types into the compromised containers: 'nginx' and 'cloud'. The latter is a Dero cryptocurrency miner, while 'nginx' is a malicious software that maintains persistence, ensures execution of the miner and scans for other exposed environments. This malware allows attackers to operate without traditional Command-and-Control (C2) servers; instead, each infected container independently scans the internet and can spread the miner to new targets. An infection chain scheme 'The campaign has the potential for exponential growth of infections, with each compromised container acting as a new source of attack, if security measures are not immediately put in place in the potentially targeted networks,' explains Amged Wageh, an incident response and a compromise assessment expert at Kaspersky Security Services. 'Сontainers are foundational to software development, deployment, and scalability. Their widespread use across cloud-native environments, DevOps, and microservices architectures makes them an attractive target for cyber attackers. This growing reliance demands organizations adopt a 360-degree approach to security — combining robust security solutions with proactive threat hunting and regular compromise assessments'. The attackers embedded the names 'nginx' and 'cloud' directly in the binary — an inflexible executable file composed of instructions and data for the processor, not for humans. This is a classic masquerading tactic that lets the payload pose as a legitimate tool, trying to deceive both analysts and automated defenses. To mitigate against container-related threats, Kaspersky recommends: Companies that use Docker APIs should immediately review the security of any potentially exposed infrastructure — specifically, refrain from publishing the Docker APIs unless there is an operational need and consider securing the published Docker APIs via TLS. Uncover active cyberattacks and previous unknown attacks that flew under the radar with Kaspersky Compromise Assessment. Containerization is the most popular application development method at the moment. But risks can emerge in each component of a container's infrastructure and may heavily impact business processes. The protection of containerized environments is crucial and requires specialized security solutions. Kaspersky Container Security provides security for all stages of containerized application development. Besides the development process, the solution protects runtime, for example, it controls the launch of only trusted containers, the operation of the applications and services inside the containers and monitors the traffic. Adopt managed security services by Kaspersky such as C ompromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers. The full technical analysis is available on Securelist. Kaspersky products detect these malicious implants with the following verdicts: and About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them.
