{"id":29014,"date":"2025-05-28T13:47:20","date_gmt":"2025-05-28T13:47:20","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=29014"},"modified":"2025-05-28T13:47:20","modified_gmt":"2025-05-28T13:47:20","slug":"privacy-crypto-dero-targeted-with-new-self-spreading-malware","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=29014","title":{"rendered":"Privacy Crypto Dero Targeted With New Self-Spreading Malware"},"content":{"rendered":"<div>\n<p>A newly discovered Linux malware campaign is compromising unsecured Docker infrastructure worldwide, turning exposed servers into part of a decentralized cryptojacking network that mines the privacy coin Dero DERO.<\/p>\n<\/p>\n<p>According to a report by cybersecurity firm Kaspersky, the attack begins by exploiting publicly exposed Docker APIs over port 2375. Once access is gained, the malware spawns malicious containers. It infects already-running ones, siphoning system resources to mine Dero and scan for additional targets without requiring a central command server.<\/p>\n<\/p>\n<p>In software terms, a docker is a set of applications or platform tool and products that use OS-level virtualization to deliver software in small packages called containers.<\/p>\n<\/p>\n<p>The threat actor behind the operation deployed two Golang-based implants: one named \u201cnginx\u201d (a deliberate attempt to masquerade as the legitimate web server software), and another called \u201ccloud,\u201d which is the actual mining software used to generate Dero.<\/p>\n<\/p>\n<p>Once a host was compromised, the nginx module continuously scanned the internet for more vulnerable Docker nodes, using tools like Masscan to identify targets and deploy new infected containers.<\/p>\n<\/p>\n<p>\u201cThe entire campaign behaves like a zombie container outbreak,\u201d researchers wrote. \u201cOne infected node autonomously creates new zombies to mine Dero and spread further. No external control is needed \u2014 just more misconfigured Docker endpoints.\u201d<\/p>\n<\/p>\n<p>To avoid detection, it encrypts configuration data, including wallet addresses and Dero node endpoints, and hides itself under paths typically used by legitimate system software.<\/p>\n<\/p>\n<p>Kaspersky identified the same wallet and node infrastructure used in earlier cryptojacking campaigns that targeted Kubernetes clusters in 2023 and 2024, indicating an evolution of a known operation rather than a brand-new threat.<\/p>\n<\/p>\n<p>In this case, however, the use of self-spreading worm logic and the absence of a central command server make it especially resilient and harder to shut down.<\/p>\n<\/p>\n<p>As of early May, over 520 Docker APIs were publicly exposed over port 2375 worldwide \u2014 each one a potential target.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A newly discovered Linux malware campaign is compromising unsecured Docker infrastructure worldwide, turning exposed servers into part of a decentralized cryptojacking network that mines the privacy coin Dero DERO. According to a report by cybersecurity firm Kaspersky, the attack begins by exploiting publicly exposed Docker APIs over port 2375. Once access is gained, the malware [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-29014","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/29014","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29014"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/29014\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29014"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}