{
	"id": "8f1f30e7-fab1-4bb0-ab6c-b07a9b18fb59",
	"created_at": "2026-04-06T00:13:22.927335Z",
	"updated_at": "2026-04-10T03:21:39.541446Z",
	"deleted_at": null,
	"sha1_hash": "8fe28089781726d7e24a1b9e482039edbfb2f3f9",
	"title": "Exposed Docker APIs Abused by DDoS, Cryptojacking Botnet Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 867227,
	"plain_text": "Exposed Docker APIs Abused by DDoS, Cryptojacking Botnet Malware\r\nBy Sergiu Gatlan\r\nPublished: 2019-06-14 · Archived: 2026-04-05 13:44:59 UTC\r\nAttackers are actively scanning for exposed Docker APIs on port 2375 and use them to deploy a malicious payload which\r\ndrops a Dofloo Trojan variant, a malware known as a popular tool for building large scale botnets.\r\nThe Dofloo (aka AESDDoS) malware was first detected in 2014 [1, 2, 3, 4] and it is known for allowing hackers to quickly\r\nassemble vast numbers of compromised machines used to create botnets that can launch DDoS attacks and — in the case of\r\nsome variants — to load cryptocurrency miners to the infected machines.\r\nMisconfigured Docker services being abused is a known trend given that they have been under constant attack since early-2018 after coinminer campaigns started spreading to the cloud following the drop in activity seen by ransomware operations\r\nafter the end of 2017.\r\nhttps://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAttacks, infection, and abuse\r\nIn the campaign observed by Trend Micro, misconfigured APIs of the Docker Engine-Community DevOps utility that allow\r\nexternal access to the communication ports are abused by attackers making it possible to infiltrate misconfigured servers.\r\n\"Allowing external access — whether intentionally or by misconfiguration — to API ports allows attackers to gain\r\nownership of the host, giving them the ability to poison instances running within it with malware and to gain remote access\r\nto users’ servers and hardware resources,\" says Trend Micro.\r\nQuery to list all available containers\r\nThe attacks begin with an Internet scan for vulnerable Docker hosts by sending TCP SYN packets to port 2375 — the\r\nDocker daemon communication port which allows for unencrypted and unauthenticated communication— using an open\r\nsource SYN/TCP port scanner, with the bad actors connecting to all live host they found and asking for running containers.\r\nThe Dofloo botnet malware is subsequently \"deployed using the docker exec command\" to all discovered containers\r\nsays Trend Micro's research, executing the malware that will enable the \"attackers to launch several types of DDoS attacks,\r\nsuch as SYN, LSYN, UDP, UDPS, and TCP flood.\"\r\nSystem information is also collected by the Trojan after execution, with the data being packed and sent to its command-and-control (C\u0026C) server allowing its masters to decide what the next course of action will be depending on the hardware\r\nconfiguration of the compromised machine.\r\nDofloo (AESDDoS) malware executing remote shell commands\r\nTrend Micro's research team provides a list of Indicators of Compromise (IOCs) containing hashes of malware samples used\r\nduring these attacks at the end of the report.\r\nPrevious Dofloo and Docker attacks\r\nDofloo was previously detected while being dropped by a malicious campaign that exploited a critical server-side template\r\ninjection Atlassian Confluence Server and Data Center vulnerability to compromise Linux and Windows servers in late\r\nApril.\r\nhttps://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/\r\nPage 3 of 4\n\nExposed Docker APIs were abused by other malicious campaigns, with one being detected in March by Imperva while\r\nexploiting the CVE-2019-5736 runc vulnerability disclosed one month earlier allowing attackers to overwrite the host runc\r\nbinary and gain root-level code execution privileges.\r\nCryptojacking operations have also actively targeted misconfigured Docker services in November 2018 as unearthed by\r\nJuniper Networks researchers, with cybercriminals adding their own containers which executed Monero mining scripts.\r\nFurther back, in October 2018 and March 2018, other campaigns have also been observed while scanning the Internet for\r\neasy to infiltrate Docker hosts and deploy containers that would download and execute coin miners.\r\nSecuring Docker servers\r\nWhile Docker Engine API abuse is not something new, it keeps being an issue because administrators do not know how to\r\nproperly secure their systems. \r\nTo make sure that their Docker hosts are secured against this types of attacks, admins should be using adequate security\r\ncontrols that allow only trusted sources to access the Docker API as explained in the Securing Docker remote\r\ndaemon chapter available on the Docker documentation website.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/\r\nhttps://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/"
	],
	"report_names": [
		"exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434402,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fe28089781726d7e24a1b9e482039edbfb2f3f9.pdf",
		"text": "https://archive.orkl.eu/8fe28089781726d7e24a1b9e482039edbfb2f3f9.txt",
		"img": "https://archive.orkl.eu/8fe28089781726d7e24a1b9e482039edbfb2f3f9.jpg"
	}
}