{
	"id": "d00718d0-c91e-4033-92ad-0f6ab9cc2c1f",
	"created_at": "2026-04-06T01:32:11.267916Z",
	"updated_at": "2026-04-10T13:12:23.119572Z",
	"deleted_at": null,
	"sha1_hash": "453649bb75e86f8df3ba53154c6a606b7cb47875",
	"title": "LemonDuck Botnet Targets Docker for Cryptomining Operations | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6955252,
	"plain_text": "LemonDuck Botnet Targets Docker for Cryptomining Operations |\r\nCrowdStrike\r\nBy Manoj Ahuje\r\nArchived: 2026-04-06 01:25:40 UTC\r\nLemonDuck, a well-known cryptomining botnet, is targeting Docker to mine cryptocurrency on Linux\r\nsystems. This campaign is currently active.\r\nIt runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses.\r\nIt evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.\r\nCrowdStrike customers are protected from this threat with the Falcon Cloud Security module.\r\nSummary\r\nThe recent cryptocurrency boom has driven crypto prices through the roof in the last couple of years. As a result,\r\ncryptomining activities have increased significantly as attackers are looking to get immediate monetary\r\ncompensation. According to the Google Threat Horizon report published Nov. 29, 2021, 86% of compromised\r\nGoogle Cloud instances were used to perform cryptocurrency mining. The CrowdStrike Cloud Threat Research\r\nteam detected LemonDuck targeting Docker to mine cryptocurrency on the Linux platform. This campaign is\r\ncurrently active.\r\nLemonDuck is a well-known cryptomining botnet involved in targeting Microsoft Exchange servers via\r\nProxyLogon and the use of EternalBlue, BlueKeep, etc. to mine cryptocurrency, escalate privileges and move\r\nlaterally in compromised networks. This botnet tries to monetize its efforts via various simultaneous active\r\ncampaigns to mine cryptocurrency like Monero.\r\nWhat Is the Exposed Docker API?\r\nDocker is the platform for building, running and managing containerized workloads. Docker provides a number of\r\nAPIs to help developers with automation, and these APIs can be made available using local Linux sockets or\r\ndaemons (the default port is 2375). Since Docker is primarily used to run container workloads in the cloud, a\r\nmisconfigured cloud instance can expose a Docker API to the internet. Then an attacker can exploit this API to run\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 1 of 9\n\na cryptocurrency miner inside an attacker-controlled container. Additionally, an attacker can escape a running\r\ncontainer by abusing privileges and misconfigurations, but also by exploiting multiple vulnerabilities found in the\r\ncontainer runtime like Docker, Containerd and CRI-O. Cr8escape is an example of one such vulnerability\r\ndiscovered by CrowdStrike in container runtime CRI-O.\r\nInitial Compromise via Docker\r\nLemonDuck targets exposed Docker APIs to get initial access. It runs a malicious container on an exposed Docker\r\nAPI by using a custom Docker ENTRYPOINT to download a “core.png” image file that is disguised as Bash\r\nscript. In Figure 1, you can see the initial malicious entrypoint.\r\nFigure 1.\r\nMalicious entrypoint downloading disguised Bash file as an image\r\nThe file “core.png” was downloaded from a domain t.m7n0y\u003c.\u003ecom , which is associated with LemonDuck. By\r\nfurther analyzing this domain, CrowdStrike found multiple campaigns being operated via the domain targeting\r\nWindows and Linux platforms simultaneously. As shown in Figure 2, the domain has a self-signed certificate\r\ninstalled, generated in May 2021 with expiration in May 2022. It further indicates that this domain is currently\r\nbeing used.\r\nFigure 2. LemonDuck domain certificate\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 2 of 9\n\nThe unique certificate signatures lead investigation to other domains that are actively used by this actor to\r\npotentially identify other command and control (C2) used in this campaign. As shown in Figure 3, investigation\r\nfound a few domains that were using the same certificate at the moment. But we did not find a “core.png” file\r\nbeing distributed by other related domains at the time of this writing. As shown in Figure 4, historical data\r\ncollected by CrowdStrike suggests “core.png” was distributed on multiple domains used by this actor in the past.\r\nFigure 3. Domain sharing the same Certificate\r\nFigure 4. Core.png like files being distributed in the past\r\nAttackers usually run a single campaign from a single C2 server, but interestingly, on multiple C2 used by\r\nLemonDuck, there are multiple campaigns running that target Windows as well as the Linux platform. Figure 5\r\nshows various dropper files used in multiple campaigns.\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 3 of 9\n\nFigure 5. Dropper files used in multiple campaigns targeting Windows and Linux\r\nDisguised Scripts to Set Up a Miner\r\nAs shown in Figure 6, the “core.png'' file acts as a pivot by setting a Linux cronjob inside the container. Next, this\r\ncronjob downloads another disguised file “a.asp,'' which is actually a Bash file.\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 4 of 9\n\nFigure 6. Core.png adds cronjob to download a.asp\r\nThe “a.asp'' file is the actual payload in this attack. It takes several steps before downloading and starting a mining\r\noperation once it is triggered by a cronjob, as follows.\r\nKills processes based on names. Kills the number of processes based on names of known mining pools,\r\ncompeting cryptomining groups, etc.\r\nKills known daemons. Daemons like crond, sshd and syslog are killed by grabbing daemon process ids.\r\nDeletes known indicator of compromise (IOC) file paths. The known IOC file paths of competing\r\ncryptomining groups are deleted to disrupt any existing operation.\r\nKills known network connections. Connections that are ESTABLISHED or in progress (SYN_SENT) to\r\nknown C2 of competing cryptomining groups are killed.\r\nDisables Alibaba Cloud Defense\r\nAlibaba Cloud’s monitoring service monitors cloud instances for malicious activities once the agent is installed on\r\na host or container. LemonDuck’s “a.asp” file has the capability to disable aliyun service in order to evade\r\ndetection by the cloud provider, as shown in Figure 7.\r\nFigure 7. Disable Cloud monitoring service\r\nCryptominer Startup and Use of Proxy Pools\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 5 of 9\n\nAs a final step, LemonDuck’s “a.asp'' file downloads and runs XMRig as “xr” file that mines the cryptocurrency\r\nas shown in Figure 8. Further, Figure 9 shows the version of XMRig being used in mining (version 6.14.0 released\r\nin August 2021). The config file used by XMRig indicates the use of a cryptomining proxy pool. Proxy pools help\r\nin hiding the actual crypto wallet address where the contributions are made by current mining activity. You can see\r\nthe pool address in Figure 9.\r\nFigure 8. Binary named “xr” running as a mining process\r\nFigure 9. XMRig version in use and pool address\r\nLateral Movement via SSH\r\nRather than mass scanning the public IP ranges for exploitable attack surface, LemonDuck tries to move laterally\r\nby searching for SSH keys on filesystem. This is one of the reasons this campaign was not evident as other mining\r\ncampaigns run by other groups. Once SSH keys are found, the attacker uses those to log in to the servers and run\r\nthe malicious scripts as discussed earlier. Figure 10 shows the search for SSH keys on the filesystem.\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 6 of 9\n\nFigure 10. Key search\r\nCrowdStrike Detection\r\nThe CrowdStrike Falcon® platform protects its customers with its runtime protection and cloud machine learning\r\nmodels from any post-exploitation activities. As shown in Figure 11, a malicious mining process was killed by the\r\nCrowdStrike machine learning model. Figure 12 additionally shows the origin of the process and container\r\ninformation using CrowdStrike Threat Graph®.\r\nFigure 11. CrowdStrike cloud-based machine learning killing a malicious container process\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 7 of 9\n\nFigure 12. CrowdStrike Threat Graph for the malicious process\r\nConclusion\r\nDue to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises,\r\ncryptomining is proven to be a monetarily attractive option for attackers. Since cloud and container ecosystems\r\nheavily use Linux, it drew the attention of the operators of botnets like LemonDuck, which started targeting\r\nDocker for cryptomining on the Linux platform. As you can see in this attack, LemonDuck utilized some part of\r\nits vast C2 operation to target Linux and Docker in addition to its Windows campaigns. It utilized techniques to\r\nevade defenses not only by using disguised files and by killing monitoring daemon, but also by disabling Alibaba\r\nCloud’s monitoring service. At CrowdStrike, we expect such kinds of campaigns by large botnet operators to\r\nincrease as cloud adoption continues to grow. Securing containers need not be an overly complex task. Using the\r\nFalcon platform, you can easily identify security issues in your environment in real time. You can use built-in\r\nfeatures of Kubernetes and best practices to keep your container environment safe. For enhanced security, you can\r\nuse integrated container security products such as CrowdStrike Falcon® Cloud Security that can protect your\r\nKubernetes environment seamlessly.\r\nCrowdStrike strives to support organizations that allow their users to stay ahead of the curve and remain fully\r\nprotected from adversaries and breaches.\r\nAdditional Resources\r\nLearn how you can stop cloud breaches with CrowdStrike unified cloud security posture management and\r\nbreach prevention for multi-cloud and hybrid environments — all in one lightweight platform.\r\nLearn more about how Falcon Cloud Security enables organizations to build, run and secure cloud-native\r\napplications with speed and confidence\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 8 of 9\n\nSee if a managed solution is right for you. Find out about Falcon Cloud Workload Protection Complete:\r\nManaged Detection and Response for Cloud Workloads.\r\nSource: https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nhttps://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/"
	],
	"report_names": [
		"lemonduck-botnet-targets-docker-for-cryptomining-operations"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439131,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/453649bb75e86f8df3ba53154c6a606b7cb47875.pdf",
		"text": "https://archive.orkl.eu/453649bb75e86f8df3ba53154c6a606b7cb47875.txt",
		"img": "https://archive.orkl.eu/453649bb75e86f8df3ba53154c6a606b7cb47875.jpg"
	}
}