Attack Chain Analysis: Misconfigured Docker APIs + Tor + XMRig = Perfect Cryptojacking Storm
Hackers are exploiting misconfigured Docker APIs to spin up stealthy Tor-powered cryptojacking operations
This document analyzes a sophisticated cryptojacking attack that exploits misconfigured Docker APIs to deploy stealthy, Tor-powered mining operations. The attack leverages container escape techniques, SSH backdoors, and network reconnaissance tools to establish long-term persistence and maximize profits, all while remaining hidden from typical security monitoring. The analysis also highlights the risks of exposed secrets in public code repositories, further compounding the threat landscape.
In a chilling reminder of what can go wrong in the cloud, hackers are exploiting misconfigured Docker APIs to spin up stealthy Tor-powered cryptojacking operations—right under the radar of DevOps and security teams.
Let’s break down this sophisticated attack step-by-step.
Stage 1: Entry via Misconfigured Docker API
The attack starts innocently enough—with a scan.
Attacker probes for misconfigured Docker APIs (especially those exposed on port 2375).
A request is made from IP 198.199.72[.]27 to enumerate all running containers on the target.
If no containers are active, the attacker seizes the opportunity and spins up a new one.
Stage 2: Weaponizing a New Container
A lightweight Alpine image is used—fast and minimal.
But here’s the kicker:
The attacker mounts the
/hostrootdirectory—giving the container access to the host machine's root filesystem.This move sets up potential for container escape and deeper infiltration.
Stage 3: Going Dark with Tor
To cloak their operations:
A Base64-encoded shell script is executed inside the container.
It sets up Tor, masking communication and pulling in the real payload from a
.onionaddress:
`wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion`socks5his used to ensure all traffic (including DNS) flows through Tor, enhancing anonymity.
Stage 4: Establishing Persistence
With the container live, the attacker executes a script (docker-init.sh) to:
Detect the
/hostrootmount.Modify the SSH configuration on the host to:
Enable root login.
Insert an attacker-controlled SSH public key into
~/.ssh/authorized_keys.
Now, they have remote root access to the host.
Stage 5: Installing Tools for Recon and Mining
The container is further equipped with:
masscan– for network reconnaissance.libpcapandzstd– for packet capturing and compression.torsocks– to route command-and-control traffic via Tor.
And finally, the XMRig miner is dropped along with:
Mining config files
Wallet addresses
Mining pool URLs
🎯 Targets and Impact
The campaign, observed by Trend Micro, is not scattershot. It targets:
Tech companies
Financial services
Healthcare orgs
…where unguarded cloud infrastructure and high compute power make for perfect cryptojacking victims.
💡 Bonus Threat: Secrets in Public Repos
As if that wasn’t enough, Wiz found hundreds of exposed secrets in .env, mcp.json, and Jupyter notebooks on GitHub—many linked to Fortune 100 companies.
That includes:
API keys
Cloud credentials
AI agent configs
Even code execution results that can leak internal business logic and reconnaissance data.
🔍 TL;DR – Key Takeaways
Misconfigured Docker APIs are an open invitation for attackers.
Mounting host directories inside containers is a dangerous privilege escalation vector.
Tor + cryptominers + SSH backdoors = long-term persistence with low visibility.
Public code leaks, even in AI notebooks, are the cherry on top for attackers.
🔐 Defend Your Cloud
Always restrict and secure Docker API access.
Never mount host root inside containers unless absolutely necessary.
Monitor network traffic for Tor connections.
Regularly audit public code repositories for secrets and credentials.
Cloud is not inherently secure—configuration is king.
One misstep, and you could be financing a hacker’s Monero wallet for months.