New Self-Spreading Malware Takes Aim at Privacy Coin Dero
Security/Tech

New Self-Spreading Malware Takes Aim at Privacy Coin Dero

A sophisticated Linux malware campaign is leveraging unsecured Docker infrastructure to form a decentralized cryptojacking network focused on mining Dero.

Trade with eToro

Trade with eToro

Open an account

Trade on XM

Trade on XM

Open an account

New Self-Spreading Malware Takes Aim at Privacy Coin Dero

A sophisticated Linux malware campaign is leveraging unsecured Docker infrastructure to form a decentralized cryptojacking network focused on mining Dero.

What to know:

  • A new Linux malware campaign is targeting unsecured Docker infrastructure to create a cryptojacking network mining Dero.
  • The attack exploits exposed Docker APIs on port 2375, using malicious containers to mine cryptocurrency and spread without a central server.
  • Kaspersky reports that the malware uses Golang-based implants and encrypts data to avoid detection, indicating an evolution of previous cryptojacking operations.

A recently uncovered Linux malware campaign is infiltrating unsecured Docker infrastructure globally, transforming exposed servers into elements of a decentralized cryptojacking network, which mines the privacy coin Dero.

According to a report from cybersecurity firm Kaspersky, the attack initiates by taking advantage of publicly exposed Docker APIs over port 2375. After gaining access, the malware generates malicious containers, infecting active ones to exploit system resources for mining Dero while seeking further vulnerabilities autonomously without needing a central command server.

The threat actor involved deployed two Golang-created implants, one named “nginx” (which pretends to be the legitimate web server software) and another dubbed “cloud,” which serves as the actual mining software used to generate Dero.

Once a host is compromised, the “nginx” module persistently scans the internet for additional vulnerable Docker nodes. It utilizes tools like Masscan to locate targets and deploy new infected containers.

“The entire campaign operates like a zombie container outbreak,” researchers stated. “An infected node autonomously creates new zombies to mine Dero and disseminate further. No external control is necessary — only more misconfigured Docker endpoints.”

To elude detection, it encrypts its configuration data, including wallet addresses and Dero node endpoints, disguising itself within paths typically associated with legitimate system software.

Kaspersky identified that the same wallet and node infrastructure utilized in earlier cryptojacking campaigns aimed at Kubernetes clusters in 2023 and 2024 was reused, highlighting the ongoing evolution of an established operation rather than a fresh threat.

In this scenario, however, the application of self-spreading worm logic and lack of a central management server render it particularly resilient and challenging to shut down.

As of early May, over 520 Docker APIs were publicly exposed over port 2375 globally — each representing a potential vulnerability.

Next article

Telegram Enters $300 Million Partnership with Elon Musk's xAI for Grok Integration

Newsletter

Get the most talked about stories directly in your inbox

Every week we share the most relevant news in tech, culture, and entertainment. Join our community.

Your privacy is important to us. We promise not to send you spam!