Hackers hide behind Tor in exposed Docker API breaches
A threat actor targeting exposed Docker APIs has updated its malicious tooling with more dangerous functionality that could lay the foundation for a complex botnet.
The activity was first reported in June by cybersecurity company Trend Micro. whose researchers analyzed scripts and malicious code that dropped a cryptominer and relied on the Tor network to hide their identity.
Akamai researchers discovered new tooling that does not deploy a miner but a more complex payload that can block access to compromised Docker APIs.
Infection chain
The attackers search for exposed Docker API (port 2375) on a vulnerable host and send a container creation request using a modified Alpine Linux image that includes a base64-encoded shell command.
The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon in the background, and waits for the confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy.
Once Tor is active, the container downloads and executes a second-stage shell script (docker-init.sh) from a Tor hidden service using curl.
The docker-init.sh script enables persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem.
It writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using whichever firewall utility is available (iptables, nftables, ufw, etc.).
Additionally, it installs tools like masscan, zstd, libpcap, and torsocks to support scanning, propagation, and evasion.
Next, the malware downloads a Zstandard-compressed Go binary (system-linux-ARCH.zst) over Tor, decompresses it to /tmp/system, grants execute permissions, and runs it.
The Go binary functions as a dropper, extracting and executing an embedded second-stage binary, and parses the host’s utmp file to identify logged-in users.
Botnet building behavior
The binary scans for other exposed Docker APIs, attempts to infect them via the same container creation method, and removes competitor containers after gaining access.
This self-replication mechanism is a core trait of botnet agents that typically infect new nodes autonomously, without requiring external direction.
Akamai highlights the presence of inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chrome’s remote debugging interface (port 9222).
This suggests potential future expansion opportunities for credential theft, browser session hijacking, remote file download, and distributed denial-of-service (DDoS) attacks.
“Some of the underlying mechanisms lead us to believe this variant is an initial version of a complex botnet,” Akamai's researchers say, noting that they “have not found a complete version of it so far.”
Akamai’s discovery shows evolution from opportunistic Docker exploitation into a multi-vector threat with capabilities for lateral movement, persistence, and (dormant for now) options for credential theft and browser hijacking.
