SEC Task Force Chief Says Crypto Traders Need to be Growups, Not Cry to Government
Privacy Crypto Dero Targeted With New Self-Spreading Malware
- News In 4 Seconds
Shaurya Malwa
- 0
- 17 minutes read
BTC
$108,710.80
–
0.98%
ETH
$2,675.65
+
0.63%
USDT
$1.0002
+
0.00%
XRP
$2.3030
–
1.26%
BNB
$686.89
–
0.41%
SOL
$173.86
–
2.28%
USDC
$0.9996
+
0.00%
DOGE
$0.2229
–
2.61%
ADA
$0.7576
–
1.04%
TRX
$0.2753
+
0.16%
SUI
$3.6957
+
1.69%
HYPE
$35.06
–
6.99%
LINK
$15.94
+
0.24%
AVAX
$23.50
–
0.03%
XLM
$0.2879
–
0.60%
TON
$3.4541
+
14.58%
SHIB
$0.0₄1434
–
1.33%
LEO
$9.0679
+
2.95%
BCH
$416.81
–
1.07%
HBAR
$0.1868
–
1.45%
Share this article
By Shaurya Malwa|Edited by Stephen Alpher
May 28, 2025, 1:11 p.m.
- A new Linux malware campaign is targeting unsecured Docker infrastructure to create a cryptojacking network mining Dero.
- The attack exploits exposed Docker APIs on port 2375, using malicious containers to mine cryptocurrency and spread without a central server.
- Kaspersky reports that the malware uses Golang-based implants and encrypts data to avoid detection, indicating an evolution of previous cryptojacking operations.
A newly discovered Linux malware campaign is compromising unsecured Docker infrastructure worldwide, turning exposed servers into part of a decentralized cryptojacking network that mines the privacy coin Dero .
STORY CONTINUES BELOW
Don’t miss another story.Subscribe to the The Protocol Newsletter today.See all newslettersBy signing up, you will receive emails about CoinDesk products and you agree to ourterms of useandprivacy policy.
According to a report by cybersecurity firm Kaspersky, the attack begins by exploiting publicly exposed Docker APIs over port 2375. Once access is gained, the malware spawns malicious containers. It infects already-running ones, siphoning system resources to mine Dero and scan for additional targets without requiring a central command server.
In software terms, a docker is a set of applications or platform tool and products that use OS-level virtualization to deliver software in small packages called containers.
The threat actor behind the operation deployed two Golang-based implants: one named “nginx” (a deliberate attempt to masquerade as the legitimate web server software), and another called “cloud,” which is the actual mining software used to generate Dero.
Once a host was compromised, the nginx module continuously scanned the internet for more vulnerable Docker nodes, using tools like Masscan to identify targets and deploy new infected containers.
“The entire campaign behaves like a zombie container outbreak,” researchers wrote. “One infected node autonomously creates new zombies to mine Dero and spread further. No external control is needed — just more misconfigured Docker endpoints.”
To avoid detection, it encrypts configuration data, including wallet addresses and Dero node endpoints, and hides itself under paths typically used by legitimate system software.
Kaspersky identified the same wallet and node infrastructure used in earlier cryptojacking campaigns that targeted Kubernetes clusters in 2023 and 2024, indicating an evolution of a known operation rather than a brand-new threat.
In this case, however, the use of self-spreading worm logic and the absence of a central command server make it especially resilient and harder to shut down.
As of early May, over 520 Docker APIs were publicly exposed over port 2375 worldwide — each one a potential target.
Shaurya is the Co-Leader of the CoinDesk tokens and data team in Asia with a focus on crypto derivatives, DeFi, market microstructure, and protocol analysis.
Shaurya holds over $1,000 in BTC, ETH, SOL, AVAX, SUSHI, CRV, NEAR, YFI, YFII, SHIB, DOGE, USDT, USDC, BNB, MANA, MLN, LINK, XMR, ALGO, VET, CAKE, AAVE, COMP, ROOK, TRX, SNX, RUNE, FTM, ZIL, KSM, ENJ, CKB, JOE, GHST, PERP, BTRFLY, OHM, BANANA, ROME, BURGER, SPIRIT, and ORCA.
He provides over $1,000 to liquidity pools on Compound, Curve, SushiSwap, PancakeSwap, BurgerSwap, Orca, AnySwap, SpiritSwap, Rook Protocol, Yearn Finance, Synthetix, Harvest, Redacted Cartel, OlympusDAO, Rome, Trader Joe, and SUN.
