New Malware Hijacking Docker Images with Unique Obfuscation Technique

A newly discovered malware campaign is targeting Docker environments, employing a sophisticated, multi-layered obfuscation technique to evade detection and hijack compute resources for cryptojacking. Security researchers from Darktrace and Cado Security Labs have analyzed this campaign, revealing both the technical ingenuity of the attackers and the growing risks facing containerized infrastructure. According to the Report, this campaign highlights a broader trend: attackers are shifting from well-known mining tools, which are easily detected, to abusing legitimate decentralized platforms and reward systems. Security analysts used Docker’s built-in tools to extract and analyze the image, uncovering a complex obfuscation scheme. As attackers continue to innovate, defenders must stay vigilant and adapt their security practices to protect containerized infrastructure from increasingly sophisticated threats. While a single round of obfuscation is typically sufficient to bypass signature-based detection, the attacker’s use of dozens of layers appears aimed at frustrating human analysts and automated tools alike. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. By running a node and sending continuous “keep-alive” pings, the malware earns “Teneo Points”—private crypto tokens awarded for uptime and activity on the network. Unlike traditional cryptojacking malware, which deploys tools like XMRig to mine cryptocurrency directly, this campaign leverages a novel approach. Attackers exploit misconfigured or exposed Docker services to launch malicious containers, often using images hosted on Docker Hub. This method allows attackers to profit without triggering the high resource usage or network anomalies typical of traditional mining operations. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. Docker, the leading containerization platform, is increasingly targeted by cybercriminals due to its widespread adoption and the ease with which containers can be deployed from public registries. The de-obfuscated code connects to teneo.pro, a legitimate Web3 startup that operates a decentralized social media data network. The campaign begins with a request to run a container from Docker Hub, specifically the kazutod/tene:ten image.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 23 Apr 2025 11:40:09 +0000