Uncovering a Tor-Enabled Docker Exploit

    Date: 06/19/2025

    Severity: High

    Summary

    Cybercriminals have crafted a new attack method that leverages misconfigured Docker remote APIs and the Tor network to conduct covert cryptocurrency mining. Once inside containerized environments, attackers use Tor to conceal their operations while deploying crypto miners. A notable aspect of this campaign is the use of zstd, a compression tool based on the ZStandard algorithm, chosen for its efficiency. Cloud-reliant sectors—such as tech firms, financial institutions, and healthcare providers—are particularly at risk.

    Indicators of Compromise (IOC) List  

    Domains\URLs : 

    http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/static/docker-init.sh

    http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/bot/add

    http://2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion:9000/binary/system-linux-$(uname -m).zst

    gulf.moneroocean.stream

    IP Address : 

    198.199.72.27

    Hash : 

    1bb95a02f1c12c142e4e34014412608668c56502f28520c07cad979fa8ea6455

    04b307515dd8179f9c9855aa6803b333adb3e3475a0ecc688b698957f9f750ad

    f185d41df90878555a0328c19b86e7e9663497384d6b3aae80cb93dbbd591740

    b9b8a041ff1d71aaea1c9d353cc79f6d59ec03c781f34d731c3f00b85dc7ecd8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs:

    domainname like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/static/docker-init.sh" or url like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/static/docker-init.sh" or siteurl like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/static/docker-init.sh" or domainname like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/bot/add" or url like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/bot/add" or siteurl like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/bot/add" or domainname like "http://2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion:9000/binary/system-linux-$(uname" or url like "http://2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion:9000/binary/system-linux-$(uname" or siteurl like "http://2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion:9000/binary/system-linux-$(uname" or domainname like "gulf.moneroocean.stream" or url like "gulf.moneroocean.stream" or siteurl like "gulf.moneroocean.stream"

    IP Address : 

    dstipaddress IN ("198.199.72.27") or srcipaddress IN ("198.199.72.27")

    Hash :

    sha256hash IN ("1bb95a02f1c12c142e4e34014412608668c56502f28520c07cad979fa8ea6455","04b307515dd8179f9c9855aa6803b333adb3e3475a0ecc688b698957f9f750ad","f185d41df90878555a0328c19b86e7e9663497384d6b3aae80cb93dbbd591740","b9b8a041ff1d71aaea1c9d353cc79f6d59ec03c781f34d731c3f00b85dc7ecd8")

    Reference:

    https://www.trendmicro.com/en_us/research/25/f/tor-enabled-docker-exploit.html


    Tags

    Threat ActorCryptominingFinancial ServicesDockerExploitZStandard AlgorithmHealthcare and Public Health

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags