{ "id": "bdc75c30-b1c4-480d-b32a-bc95f1c1b331", "created_at": "2026-04-06T00:16:36.177153Z", "updated_at": "2026-04-10T03:34:59.764806Z", "deleted_at": null, "sha1_hash": "e78da9c226c41b014525c13d53ca637a4976bb2d", "title": "Xanthe - Docker aware miner", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1298579, "plain_text": "Xanthe - Docker aware miner\r\nBy Vanja Svajcer\r\nPublished: 2020-12-01 · Archived: 2026-04-05 21:45:12 UTC\r\nBy Vanja Svajcer and Adam Pridgen, Cisco Incident Command\r\nNEWS SUMMARY\r\nRansomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to\r\nmonetize their efforts in less intrusive ways.\r\nCisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling \"Xanthe,\" which attempted to\r\ncompromise one of Cisco's security honeypots for tracking Docker-related threats.\r\nThese threats demonstrate several techniques of the MITRE ATT\u0026CK framework, most notably Disabling Security\r\nTools - T1089, External Remote Services - T1133, Exploit Public-Facing Application - T1190, Resource Hijacking -\r\nT1496, Scheduled Task - T1053, Bash History - T1139, SSH Hijacking - T1184 and Rootkit - T1014.\r\nAttackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered an interesting campaign\r\naffecting Linux systems employing a multi-modular botnet with several ways to spread and a payload focused on providing\r\nfinancial benefits for the attacker by mining Monero online currency.\r\nThe actor employs various methods to spread across the network, like harvesting client-side certificates for spreading to\r\nknown hosts using ssh, or spreading to systems with an incorrectly configured Docker API.\r\nWhat's new?\r\nWe believe this is the first time anyone's documented Xanthe's operations. The actor is actively maintaining all the\r\nmodules and has been active since March this year.\r\nHow did it work?\r\nThe infection starts with the downloader module, which downloads the main installer module, which is also tasked\r\nwith spreading to other systems on the local and remote networks. The main module attempts to spread to other\r\nknown hosts by stealing the client-side certificates and connecting to them without the requirement for a password.\r\nTwo additional bash scripts terminate security services, removing competitor's botnets and ensuring persistence by creating\r\nscheduled cron jobs and modifying one of the system startup scripts.\r\nThe main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to\r\nhide the presence of the miner's process from various tools for process enumeration.\r\nhttps://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nPage 1 of 8\n\nSo what?\r\nDefenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like\r\nwater — they look for the smallest crack to seep in, like we see in Xanthe's potential to spread using systems with\r\nexposed Docker API. While organizations need to be focused on protecting their most valuable assets, they should not\r\nignore threats that are not specifically targeted at their infrastructure.\r\nTechnical case overview\r\nIntroduction\r\nHoneypots are one of the most commonly used systems for collecting new threats and threat intelligence, with a\r\nnumber of open-source implementations. Cisco Talos and the Cisco Security \u0026 Trust organization deploy numerous\r\nhoneypots tracking attacks on many platforms, protocols and applications.\r\nDocker has been one of the most popular platforms for managing containers. Over time it became a de facto standard for\r\ndevelopment and deployment of web and cloud applications. However, anybody who has worked with Docker quickly\r\nrealises that the learning curve is quite steep. Therefore Docker installations can be easily misconfigured and Docker\r\ndaemon exposed to external networks with a minimal level of security.\r\nAccording to Shodan, there are over 6,000 incorrectly-configured Docker implementations exposed to the internet, and\r\nattackers have been actively finding ways to exploit those exposed servers.\r\nIncorrectly configured Docker installations with exposed, unprotected APIs according to Shodan\r\nDocker daemons have been targets of attacks for several years now, and our security teams decided to keep tracking\r\nactivities related to various actors attempting to exploit them.\r\nDocker honeypot\r\nThe Cisco Security and Trust organization developed an implementation of a Docker honeypot. The Docker honeypot\r\nis a simple server that emulates some aspects of the Docker HTTP API. The server will respond to:\r\nHTTP GET version\r\nHTTP GET ping\r\nHTTP POST create image\r\nHTTP Error Code 500 in almost all other cases\r\nThe assumption is that this service is running in a cloud provider somewhere. Currently, the service is a script that runs in a\r\nshell. When a recon event or the creation of a container is detected, the server will log the event to any of the following\r\nservices:\r\nWebex Teams\r\nSlack\r\nMongodb\r\nhttps://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nPage 2 of 8\n\nHTTP Collector\r\nAs a part of reconnaissance, the honeypots log suspicious activity related to the potential Docker attacks. This is where we\r\nrecently spotted the following attempt:\r\nXanthe - a Docker-aware crypto miner\r\nThe attempt belongs to a relatively unknown crypto mining botnet, which we will call Xanthe, based on the file name\r\nof the main spreading script. When investigating open-source information, we found earlier samples of the bot on\r\nVirusTotal detected by a very few anti-malware engines. In fact, despite Xanthe having been active since March 2020,\r\nonly one of the scripts had been detected.\r\nOlder Xanthe versions and the VirusTotal detections\r\nThe initial script, pop.sh, is a simple downloader script which downloads and runs the main bot module xanthe.sh, which\r\nthen downloads and runs all additional modules. It is also tasked with scanning the network and spreading to other systems\r\nover SSH and by exploiting Docker daemon installations with exposed web API.\r\nThere are four modules that are downloaded and launched:\r\nProcess-hiding module libprocesshider.so\r\nShell script to disable other miners and security services\r\nShell script to remove Docker containers of competing Docker-targeting crypto mining trojans\r\nXMRig binary together with a downloaded JSON configuration file, config.json  \r\nXanthe, its modules and the spreading vectors\r\nhttps://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nPage 3 of 8\n\nMain module - xanthe.sh\r\nXanthe.sh, as well as most of the other Xanthe modules, is a shell script tasked to load additional modules and spread\r\nthe bot to other systems.\r\nThe main Xanthe module starts with an initialization procedure that attempts to download and run two additional modules:\r\nxesa.txt and fczyo. We describe both in detail in the next section.\r\nThe next procedure downloads a variant of the XMRig miner as java_c, its JSON configuration file and the libprocesshider\r\nshared library used for hiding the miner process name in memory. The integrity of every downloaded file is verified with a\r\nhardcoded MD5 checksum value. If the MD5 checksum is not verified, the download is reattempted.\r\nThe URLs for download are hardcoded in an array per URL, with direct IP addresses 139[.]162[.]124[.]27 and\r\n34[.]92[.]166[.]158 used for download. At the moment of writing this post, the IP address 34[.]92[.]166[.]158 runs an NginX\r\nversion 1.19.2, which was released in August this year. The address 139[.]162[.]124[.]27 runs a Debian Linux distribution\r\nwith an older Apache version 2.4.10 serving the files. Both of the server directories, /files/, used to host the malicious files\r\nare open and potentially misconfigured.\r\nXanthe uses curl to download its modules and to communicate with the logging URLs. Iplogger.org is extensively used\r\nthroughout the code, with each procedure communicating with a unique logging URL. Curl's user agent strings are manually\r\nspecified for each request depending on the phase and the functionality currently being executed.\r\nUser-agent strings and the associated functionality\r\nThe execution of the main module continues with making sure that the /tmp directory is mounted and configured to allow\r\nexecution of the files within it.\r\nNext, the procedure checks if the miner is already running in memory by running the ps command. First, the loading of the\r\nlibprocesshider is disabled, then ps is used to make sure the java_c process is running.\r\nsshd configuration and spreading\r\nThe main infection vector for this variant of Xanthe seems to be SSH, which is achieved by specifying client-side\r\ncertificates stored for known hosts.\r\nFirst, Xanthe configures the SSH daemon to make its configuration less secure and enable some functionality. The daemon\r\nis configured to run on ports 22 and 33768 with the root account login, password, client public key and\r\nGSSAPIAuthentication (such as Kerberos authentication) enabled. Once the configuration file is modified, the SSH service\r\nis restarted.\r\nFinally, we come to the spreading function, localgo. The function starts with a fetch of the externally-visible IP address of\r\nthe infected host by connecting to icanhazip.com. Next, the script uses the find utility to search for instances of client-side\r\nhttps://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nPage 4 of 8\n\ncertificates, which will be used for authentication to remote hosts. The find is used to search for any filenames starting with\r\nthe string 'id_rsa' and for files with the '.pem' file extension. The script also uses a combination of 'cat' and 'grep' to find\r\nother keys by parsing the SSH configuration files and the bash history file.\r\nOnce all possible keys have been found, the script proceeds with finding known hosts, TCP ports and usernames used to\r\nconnect to those hosts. Finally, a loop is entered which iterates over the combination of all known usernames, hosts, keys\r\nand ports in an attempt to connect, authenticate on the remote host and launch the command lines to download and execute\r\nthe main module on the remote system.\r\nSSH Xanthe-based spreading command\r\nAvailable functionality commented out\r\nAlthough we have seen this bot hitting our Docker honeypots with an attempt to spread, at the time of the analysis\r\nthe routine for Docker scanning and spreading was commented out. The author's programming style is similar in all\r\nscripts. First the functions are defined and implemented, with all the flow defined towards the bottom of the script,\r\nwhere the actor can choose which functionality to exhibit by commenting out undesirable function calls.\r\nFunctions are enabled/disabled by commenting a line using the character #\r\nThe Docker spreading functionality is contained within the function 'scangogo'. The function first attempts to install the\r\nmass port-scanning utility masscan to scan the local network, as well as the /24 subnet of the external IP address, for the\r\nhosts with incorrectly configured Docker API exposed on TCP port 2375.\r\nIf a suitable exposed Docker API is found, Xanthe will attempt to run Docker with the parameter pointing to the remote\r\nhost, create a new container based on the busybox image and run the command to launch the downloader bash script pop.sh.\r\nAuxiliary shell scripts As soon as the main module is launched, it downloads and runs the two auxiliary modules,\r\nxesa.txt and fczyo.\r\nXesa.txt - the killer module Xesa starts initially with removing the system log file and adding a number of IP addresses to the /etc/hosts file so\r\nthat they are resolved locally by the DNS resolver to 0.0.0.0 and blocked. The IP addresses are related to competing botnets and security\r\nservices such as the Alibaba cloud security center agent. Xesa also attempts to delete several accounts, which seem to be related to competing\r\nbotnets such as Kinsing.\r\nThe execution continues with running a large number of ps commands to determine if competitive miners are running on the\r\ninfected system. If any of the miners are found, their processes will be terminated and files removed from the system.\r\nhttps://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nPage 5 of 8\n\nDocker images of competitor's miners being removed from the infected system\r\nOne of the main Xesa functions is terminating competitor's Docker containers if they are running and removing their images\r\nfrom the local Docker repository. The script finishes with another check that the java_c process is running.\r\nFczyo - persistence and remote access setup\r\nThe second auxiliary module, fczyo, is similar to xesa.txt, but it covers slightly different areas of the system for termination. The execution\r\nstarts with adding two of the public DNS servers, 1.1.1.1 and 8.8.8.8, to the beginning of the /etc/resolve.conf file and restarting the DNS\r\nresolver to use those public servers. It then continues with terminating competing Docker containers if they are running.\r\nThe script makes sure that the security processes are not running on the infected system and ensures that crond is running so\r\nthe scheduled jobs can be executed.\r\nFczyo attempts to add the following users to the infected system:\r\nsysall\r\nsystem\r\nlogger\r\nautoupdater\r\nOnce the users are created, the script adds them to the list of sudoers so that they can run commands with administrative\r\nprivileges. The script also adds a public key to the SSH configuration to allow those users access to the host using the client-side private key. Iptables are used to configure the firewall to allow connections coming from the IP address\r\n64[.]225[.]46[.]44 and to drop all incoming connections to ports 2375 and 2376, presumably to avoid reinfection of the\r\nsystem by other bots scanning for misconfigured Docker API installations.\r\nFczyo checking if the cron job is already configured\r\nThe next major block of functions is tasked with setting up scheduled cron jobs to ensure that Xanthe modules are\r\ndownloaded and run from the download server every 30 minutes. It also modifies the file /etc/rc.d/rc.local so Xanthe can be\r\ndownloaded and run every time the system is started.\r\nFczyo also attempts to clear bash history, disable and remove ufw and any file belonging to the Sandfly security products.\r\nProcess-hiding module\r\nXanthe and its auxiliary modules use a shared object, libprocesshider, which is downloaded and installed into\r\n/usr/local/lib/libprocesshider.so. The loading of the shared object is enabled by adding the path of the library to the\r\nfile /etc/ld.so.preload. Ld.so.preload contains a list of user-specified ELF shared libraries to be loaded before all\r\nothers. This can be used to selectively override functions in other shared libraries.\r\nProcess tools such as ps use the /proc file system and the readdir function to enumerate all the running processes. If a\r\nmalicious shared object is used to implement a malicious copy of the readdir function, this function will be called before the\r\nhttps://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nPage 6 of 8\n\nstandard library function. The malicious function then has the ability to modify the results of the readdir to omit details of\r\nsome processes. The source code of the library is publicly available on Github, so the attacker only had to modify a\r\nhardcoded string containing the name of the process executable that needs to be hidden, in our case java_c.\r\nConclusion\r\nIn this post, we documented the previously-undocumented Monero mining botnet Xanthe, which attempts to spread\r\nover SSH using existing private keys for authentication. We discovered this botnet when it registered in a Docker\r\nhoneypot system. The main module contains functions, disabled in this variant, to spread by exploiting incorrectly\r\nconfigured Docker API installations.\r\nWhile Docker remains an essential tool for development and deployment of applications, it is worth remembering that its\r\nlearning curve is steep. The installation is not secure by default, and it is easy to leave its API exposed to attackers on a\r\nlookout for 'free' resources they can use to run custom containers and conduct attacks.\r\nWhen setting up organizations' defences, administrators and devops engineers need to make sure all components in their\r\nproduct development and deployment systems are properly configured and secure.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.\r\nExploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious websites\r\nand detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System\r\n(NGIPS),Cisco ISR andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and builds protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether\r\nusers are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase onSnort.org.\r\nhttps://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nPage 7 of 8\n\nOSQuery\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click below:\r\nhttps://github.com/Cisco-Talos/osquery_queries/blob/master/packs/linux_malware.conf\r\nIOCs\r\nIP addresses\r\n34[.]92[.]166[.]158\r\n165[.]22[.]48[.]169\r\n138[.]68[.]14[.]52\r\n139[.]162[.]124[.]27\r\n64[.]225[.]46[.]44 - incoming\r\nDomainsxanthe[.]anondns[.]net\r\nmonero[.]gktimer[.]com\r\npool[.]supportxmr[.]com - mining pool, legitimate\r\nWallet address\r\n47E4c2oGb92V2pzMZAivmNT2MJXVBj4TCJHad4QFs2KRjFhQ44Q81DPAjPCVc1KwoKQEp1YHdRMjGLUe6YdHPx5WEvAh\r\nURLshxxp://165[.]22[.]48[.]169:8080/adnckil2\r\nhxxp://138[.]68[.]14[.]52:8080/files/adnckil\r\nhxxp://138[.]68[.]14[.]52:8080/files/iqmjlf.jpg\r\nhxxp://iplogger[.]org/10xNq3\r\nhxxps://iplogger[.]org/1Rfhy7\r\nhxxps://iplogger[.]org/1iGce7\r\nhxxps://iplogger[.]org/1mmup7\r\nhxxp://34[.]92[.]166[.]158:8080/files/pop.sh\r\nhxxp://34[.]92[.]166[.]158:8080/files/xesa.txt\r\nhxxp://34[.]92[.]166[.]158:8080/files/fczyo\r\nhxxp://34[.]92[.]166[.]158:8080/files/java_c\r\nhxxp://34[.]92[.]166[.]158:8080/files/config.json\r\nhxxp://34[.]92[.]166[.]158:8080/files/libprocesshider.so\r\nOlder variants 43fba1c1d95a300a96a20890a1c768a5218b04516893744cff82097a52a51f7c\r\n6cb730a34e0b3de1e927b1c137e1d1819a1550091c0d35de30f68dfacd554783\r\nb16079a80bdd85cbb72a0fa5c956d43922a7518697eeb8a1638164418820390c\r\n8f7c7f3248ba510ca06cbe62728f06703acedc8e54b3609a069c1090ab957224\r\n6a5a0bcb60944597d61d5311a4590f1850c2ba7fc44bbcde4a81b2dd1effe57c\r\nNew variant 10e1d73e8a894e5bf07e6779ac8085da09aa445e61072349310158b0276bb28d - config.json\r\n071633c8ea4bac5d6acfe1cdc22b3a3f258d99ee8073dd2611eee9876ae40d64 - xanthe.sh\r\nd4637a2efda1f8a96e7f3e31f2c618ce680d3816ba38f075fbefefec77a10f16 - pop.sh\r\n73bfcf268a8481d55db0da34eaf3094f010ed5c0eb5acaf632d2f97ed7bab036 - fczyo\r\n0e6d37099dd89c7eed44063420bd05a2d7b0865a0f690e12457fbec68f9b67a8 - libprocesshider.so\r\ne1a3ff46a99f4fd93d99b0e61fe4ddef8f894c2a69490d71cb34ab10e4afc0d2 - xesa.txt\r\n30a77ab582f0558829a78960929f657a7c3c03c2cf89cd5a0f6934b79a74b7a4 - java_c\r\nSource: https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nhttps://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html" ], "report_names": [ "xanthe-docker-aware-miner.html" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434596, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e78da9c226c41b014525c13d53ca637a4976bb2d.pdf", "text": "https://archive.orkl.eu/e78da9c226c41b014525c13d53ca637a4976bb2d.txt", "img": "https://archive.orkl.eu/e78da9c226c41b014525c13d53ca637a4976bb2d.jpg" } }