Docker Abuse Campaign Uses Tor, zstd to Deploy XMRig in Cloud Hosts

Misconfigurations in cloud environments continue to provide opportunities for threat actors to infiltrate organizations, as a cryptocurrency mining campaign is targeting those running containerized infrastructure by exploiting exposed Docker Remote APIs to deploy the XMRig miner. According to a report from Trend Micro, attackers gain access through misconfigured Docker instances, initiating a sequence of actions that leverages tools like Tor and zstd to achieve stealth and persistence. While Trend Micro notes that “any organization using containerized applications is potentially vulnerable,” their researchers identified verticals in financial services, healthcare, and technology as prominent targets given their high dependency. The use of Tor ensures traffic is routed anonymously, while zstd enables efficient payload delivery, contributing to the campaign’s evasion and success.

The attack sequence begins with a request to identify active containers on a vulnerable Docker Remote API server. Upon confirmation that no containers are running, the attacker issues a POST request to launch a new Alpine-based container, which mounts the host root directory (/) into the container with read-write access. This setup allows direct manipulation of host system files. A base64-encoded payload within the container initiates the installation and launch of the Tor service, which is then used to fetch and execute a secondary script from a hidden [.]onion service. As noted by Trend Micro, the attacker routes all traffic and DNS queries through Tor using the “socks5h” protocol, a method designed to evade detection by masking network behavior from traditional monitoring tools.

The malicious script delivered via Tor performs several host-level modifications. It adjusts SSH configurations to allow root access and appends a public SSH key "to the host’s authorized_keys file for establishing persistent backdoor access." Additional utilities are installed, including masscan for scanning network ports and gaining the necessary context for lateral movement, libpcap libraries for traffic capture, zstd for payload decompression, and torsocks to route traffic through the Tor network. The script then sends a beacon containing system metadata to the attacker’s command-and-control server hosted on the Tor network, confirming successful compromise. Following this, the script downloads a Zstandard-compressed binary, decompresses it, changes execution permissions with "chmod", and launches it. This binary functions as a dropper for the XMRig miner, embedding wallet addresses and mining configuration parameters internally for streamlined deployment.

Trend Micro’s recommendations for defending against this threat emphasize secure container management practices. Organizations should only use official or verified images, ensure Docker and API settings are properly configured, and avoid assigning root-level access to containers. Access should be limited to trusted sources within the network. Regular security audits and strict access controls can help detect unauthorized container activity and configuration drift.