According to ChainCatcher and Coindesk, a new Linux malware is attacking unprotected Docker infrastructure globally, transforming exposed servers into a decentralized network for mining the privacy coin Dero. The malware attacks exposed Docker APIs through port, 2375, deplogolangants, oneised web server software nginx, another and named "cloud" for mining. After infection, nodes will autonomously scan the internet for new targets and deploy infected containers without a central control server.
As of early May, over 520 Docker APIs were publicly been exposed through port 2375, all all attack targets. Research shows that the wallet and node infrastructure used in this attack are the same as those used in attacks against Kubernetes clusters in 2023 and 2024.
