{
	"id": "945376ab-1933-47c0-8b1e-eb969d2338ca",
	"created_at": "2026-04-06T00:11:38.921874Z",
	"updated_at": "2026-04-10T03:20:45.483802Z",
	"deleted_at": null,
	"sha1_hash": "3fafebc75dc1fe5ce5343921786794b75ef05e88",
	"title": "AESDDoS Botnet, Containers, Exposed Docker APIs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 135544,
	"plain_text": "AESDDoS Botnet, Containers, Exposed Docker APIs\r\nPublished: 2019-06-14 · Archived: 2026-04-05 18:28:47 UTC\r\nMisconfiguration is not novel. However, cybercriminals still find that it is an effective way to get their hands on\r\norganizations’ computing resources to use for malicious purposes and it remains a top security concern. In this blog post, we\r\nwill detail an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker\r\nEngine-Community allows attackers to infiltrate containers and run a variant (detected by Trend Micro as\r\nBackdoor.Linux.DOFLOO.AA) of the Linux botnet malware AESDDoS caught by our honeypots.\r\nDocker APIs that run on container hosts allow the hosts to receive all container-related commands that the daemon, which\r\nruns with root permission, will execute. Allowing external access — whether intentionally or by misconfiguration — to API\r\nports allows attackers to gain ownership of the host, giving them the ability to poison instances running within it with\r\nmalware and to gain remote access to users’ servers and hardware resources. Previously, we have seen how exposed Docker\r\nhosts can be taken advantage of by cybercriminals, such as deploying cryptocurrency-mining malware.\r\n[READ: Container Security: Examining Potential Threats to the Container Environmentnews article]\r\nThe attack\r\nIn this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the\r\ndefault port used for communicating with the Docker daemon. Once an open port is identified, a connection asking for\r\nrunning containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker\r\nexec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware\r\nis executed within an already running container while trying to hide its own presence.\r\nThe tool and the payload\r\nWhen examining a query received by our honeypot, we noticed a link to one file from an HTTP file server (HFS) panel.\r\nAccessible HFS panels are known to have been abused by Chinese threat actors in the past to host their malicious binaries,\r\nsuch as the ELF Linux/BillGates.Lite malware, and botnets like Elknot/Setag, MrBlack, and Gafgyt, among others.\r\nFigure 1. HFS panel with listing of hosted malware and tools\r\nIn the HFS panel we found, there was a file named 2375-SYNG口漏洞.zip (translated as 2375 SYN port vulnerability), and\r\nanalysis revealed that it is a tool used by the threat actor to scan internet ranges for vulnerable machines. It also yields some\r\ninteresting contents: A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with\r\nChinese IP address ranges specified in the ip.txt file. The output of this command is saved into a file named ips.txt, which is\r\nthen fed into the Docker.exe file.\r\nhttps://www.trendmicro.com/en_us/research/19/f/aesddos-botnet-malware-infiltrates-containers-via-exposed-docker-apis.html\r\nPage 1 of 4\n\nFigure 2. Contents of the 2375-SYNG口漏洞.zip archive\r\nWe have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect\r\nvulnerabilities in Docker.\r\nNote: Translated in English, the content reads: 2375 Docker Batch Test Rapid Edition\r\n2375 Docker Batch Test Rapid version By: fireworks QQ154284301 Only for vulnerability detection. Do not use for illegal\r\npurposes. If there is illegal use, the user bears the legal responsibility. Everything has nothing to do with the author\r\nFigure 3. Docker batch test tool screen capture\r\nFigure 4. WinEggDrop port scanner\r\nAfter running the Docker.exe tool, the operator is presented with the following message:\r\nNote: Translated in English, the content reads:\r\nThere is 1 IP address to be tested, please wait!\r\nIP: 192.168.1.1\r\nThe test is done, preparing for the next scan!\r\nFigure 5. Docker scanner progress message.\r\nThe Docker.exe tool attempts to list all the Docker containers in a given machine via /containers/json.\r\nFigure 6. JSON query to list all available containers\r\nIt then executes commands within the running containers. The cmd parameter in the JSON string below is the content of the\r\nShell.txt file inside the tool’s .zip archive.\r\nhttps://www.trendmicro.com/en_us/research/19/f/aesddos-botnet-malware-infiltrates-containers-via-exposed-docker-apis.html\r\nPage 2 of 4\n\nFigure 7. Query to set up the exec instance in a running container\r\nDocker.exe then deploys the AESDDoS botnet malware, which allows attackers to launch several types of DDoS attacks,\r\nsuch as SYN, LSYN, UDP, UDPS, and TCP flood. This malware variant has been previously seen dispatching DDoS\r\nattacks, remote code execution, and cryptocurrency-mining activities to systems running vulnerable Confluence Server and\r\nData Center versions.\r\nFigure 8. AESDDoS shows this message when connecting to its C\u0026C server\r\nFigure 9. List of implemented DDoS methods\r\nDevOps security recommendations and Trend Micro solutions\r\nDocker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain\r\nroot access to the host where the daemon is running, hence access to the API and address must be heavily restricted. To\r\nprevent container-based incidents from happening, organizations can follow these guidelines:\r\nCheck API configuration. System administrators and developers should ensure that APIs are set to receive requests\r\nonly from determined hosts or internal networks. Secure API endpoints with HTTPS and certificates.\r\nImplement the principle of least privilege. Make sure that container images are signed and authenticated. Access to\r\ncritical components like the daemon service that helps run containers should be restricted. Network connections\r\nshould also be encrypted.\r\nFollow recommended best practices. Docker provides a comprehensive list of best practices and has built-in security\r\nfeatures professionals can take advantage of.\r\nhttps://www.trendmicro.com/en_us/research/19/f/aesddos-botnet-malware-infiltrates-containers-via-exposed-docker-apis.html\r\nPage 3 of 4\n\nEmploy automated runtime and image scanning productsto gain further visibility into the container’s processes (e.g.,\r\nto determine if it has been tampered with or has vulnerabilities). Application control and integrity monitoring help\r\nkeep an eye out for anomalous modifications on servers, files, and system areas.\r\nTrend Micro helps DevOps teams to build securely, ship fast, and run anywhere. The Trend Micro™ Hybrid Cloud\r\nSecurityproducts solution provides powerful, streamlined, and automated securityproducts within the organization’s DevOps\r\npipelineproducts and delivers multiple XGen™products threat defense techniques for protecting runtime physical, virtual,\r\nand cloud workloads. It also adds protection for containersproducts via the Deep Securityproducts™ solution and Deep\r\nSecurity Smart Checkproducts, which scans Docker container images for malware and vulnerabilities at any interval in the\r\ndevelopment pipeline to prevent threats before they are deployed.  \r\nIndicators of Compromise\r\nSHA-256 Detection name File\r\n643B16F4F6228BE95736A9F37FA9B527CA831EA7AE998CFA6725ECD426C8B4E1\r\nBackdoor.Linux.DOFLOO.AA Payl\r\n8909895D92C4544A423C70995F9673987F791F7ACB9FE4843E0C6940D7739897\r\nF8FB19F075831C1FCDD780C8283E751B8B4D35D3635E048CDE244F8D52C1243C Trojan.Win32.PARITE.AC Batc\r\nDCE9A06646113DEC4AEC515B3C9A3C9EAB9D20CCA45BEEA015281C376C09B3D7\r\n \r\nPE_VIRUX.O s.exe\r\nBF8BB06B694E775DCA1EB64B4EE4AFD243E4EAED0A03219A9BB175FF1DC5F280 PE_PARITE.A Dock\r\nSource: https://www.trendmicro.com/en_us/research/19/f/aesddos-botnet-malware-infiltrates-containers-via-exposed-docker-apis.html\r\nhttps://www.trendmicro.com/en_us/research/19/f/aesddos-botnet-malware-infiltrates-containers-via-exposed-docker-apis.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/19/f/aesddos-botnet-malware-infiltrates-containers-via-exposed-docker-apis.html"
	],
	"report_names": [
		"aesddos-botnet-malware-infiltrates-containers-via-exposed-docker-apis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434298,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3fafebc75dc1fe5ce5343921786794b75ef05e88.pdf",
		"text": "https://archive.orkl.eu/3fafebc75dc1fe5ce5343921786794b75ef05e88.txt",
		"img": "https://archive.orkl.eu/3fafebc75dc1fe5ce5343921786794b75ef05e88.jpg"
	}
}