{
	"id": "43f62306-5ca7-4d67-871c-bcf8f9f82af2",
	"created_at": "2026-04-06T00:12:57.692709Z",
	"updated_at": "2026-04-10T13:12:30.791127Z",
	"deleted_at": null,
	"sha1_hash": "f73917df793bd34ba6ffde21ab5169fc2f95d941",
	"title": "Fileless Malware Executing in Containers - Aqua",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1223790,
	"plain_text": "Fileless Malware Executing in Containers - Aqua\r\nBy Idan Revivo\r\nPublished: 2020-12-02 · Archived: 2026-04-05 20:23:36 UTC\r\nOur cyber research team detected a new type of attack that executes and runs malware straight from memory in\r\ncontainers, thus evading common defenses and static scanning. This malware is using a rootkit to hide its running\r\nprocesses, then hijacks resources by executing a crypto miner from memory — leaving a backdoor that enables\r\nattackers to do more damage. We found four container images in Docker Hub designed to execute fileless\r\nmalware attacks.\r\nA fileless attack is especially concerning since industry reports indicate that every year the number of these\r\nmalware attacks is increasing — by hundreds of percent. Some reports claim that this type of malware attack is 10\r\ntimes more likely to succeed in infecting a machine than a file-based attack. Now that adversaries are using such\r\nhighly sophisticated and obfuscated techniques, security practitioners must up their game accordingly.\r\nWhat is a fileless malware attack?\r\nUntil recently, we’ve most often witnessed two types of attacks in containers, and neither of them were fileless.\r\nDedicated malicious images are one type of attack that can be detected by using traditional static security\r\nsolutions, such as antivirus scanners, that usually scan to find malicious marks correlated with a tool’s signature.\r\nThe second type is a benign image running malicious scripts at the entry point which is set to download malware\r\nfrom the attacker’s C2 server. This type of attack is more advanced, to detect this form of malware you need a\r\ndynamic scanner that’s capable of scanning files written to disk during runtime. You can read more about our\r\nclassifications in our 2020 Cloud Native Threat Report.\r\nHowever, in a fileless malware attack, the malware is loaded into memory and then executed. By executing\r\nmalicious code directly from memory, attackers can evade detection by static scanners, and even some dynamic\r\nscanners, because they cannot read the file from memory. Only more sophisticated dynamic analysis that analyzes\r\na running system’s processes can help.\r\nThe detection method\r\nWe at Team Nautilus occasionally scan Docker Hub using our sophisticated Aqua DTA (Dynamic Threat Analysis)\r\nscanner. It is purpose-built to detect hidden, malicious elements in images by running the image as a container in a\r\nsecure sandbox to analyze its behavior.\r\nUsing this technique, we detected two Docker Hub accounts ( portaienr and lifengyi1323 ) containing various\r\nmalicious images. Our research shows that these accounts are linked to TeamTNT, a group whose attacks we’ve\r\nseen before. We just reported about the account ‘portaienr’ in a recent blog. In addition to the findings in the blog,\r\nDTA found four images designed to execute fileless malware attacks. It was at this point we decided to thoroughly\r\ninvestigate these images.\r\nhttps://blog.aquasec.com/fileless-malware-container-security\r\nPage 1 of 6\n\nThe entry points\r\nThe image lifengyi1323/traband was built with six layers. Two of the layers contained BusyBox (provides\r\nvarious Unix utilities) and the rest contained TeamTNT’s malicious binaries and scripts (as detailed below). The\r\ncontainer is initiated with execution of file init.sh  which is located on disk ( MD5=\r\n2a42cc706d451a64b5d2cbf80e5d61ec ).\r\nhttps://blog.aquasec.com/fileless-malware-container-security\r\nPage 2 of 6\n\nThe shell file Init.sh is a short, straight-forward file designed to prepare the environment to execute three files.\r\nFirst, the script changes attribute definitions in several files. It changes /root/sbin ( MD5=\r\nf42be0d5a0da02a4d6bfc95b62d1838e ) and /root/traband ( MD5= 37902136fe513879ee7fee9208cdb40a ) mode to\r\nexecute. Both sbin and traband are packed files, but they only have a few general detections in VirusTotal, an\r\nonline service that analyzes files and URLs to detect malicious content. A lack of detections within these files\r\nimplies that this technique is highly effective against av scanners. After a deeper analysis, traband seems to be\r\npacked with UPX and ezuri packers while sbin is packed with ezuri packer.\r\nAttackers often use packers as a defensive evasion technique since they can compress a malware file without\r\naffecting its code and functionality and appear to security detectors as a benign file. There is also a 4th file\r\n( muser ) that is designed to open a backdoor for the attackers (TeamTNT). The script erases host Cron jobs and\r\nsets to execute the muser file in a Cron that is mounted to the host.\r\nLoading and executing the payload in memory\r\nAs mentioned above, both files sbin and traband are decrypting and executing the payload from memory\r\nduring runtime.\r\nThe file ‘traband’\r\nFirst ‘traband’ is unpacked and the decrypted binary payload is written and executed from memory. We then see\r\nan execve() syscall from memory that is running a process named kthreadd , this is actually a rootkit using LD\r\nPreload to hide all processes related to kthreadd .\r\nhttps://blog.aquasec.com/fileless-malware-container-security\r\nPage 3 of 6\n\nMoreover, the elf binary is also executed from memory. It is classified in VirusTotal as Tsunami malware ( MD5=\r\n48c056a1bf908a424d472f121ccaf44b ), something often used in TeamTNT’s other campaigns. Tsunami malware\r\nenables a remote attacker to download files and execute shell commands in an infected host. In addition, the\r\nattacker can also launch a denial-of-service attack from the infected host. Lastly, the Tsunami connected through\r\nIRC protocol to 164[.]68[.]106[.]96[:]6697 that serves as TeamTNT’s C2 server ( ircbd[.]anondns[.]net /\r\nirc[.]teamtnt[.]red ).\r\nThe file ‘sbin’\r\nThe file sbin is executed and the binary payload is written and executed from memory. Following that, we see\r\nindications of an unpacking process and another execve() syscall with kthreadd as argv. The same name is\r\nused in both executed binaries so that its processes are hidden with the help of the rootkit. The code is encrypted\r\nwith base64 and is then decrypted and executed during runtime. The output of the decrypted base64 is written to\r\ndisk and archived as a tar file kube.tar.gz . Once extracted, the outcome is kube file, the Tsunami malware\r\n( MD5=df386df8c8a376686f788ceff1216f11 ).\r\nWe see another execve() syscall that executes a crypto miner from memory. Lastly, we see a connection with a\r\nmining pool ( gulf[.]moneroocean[.]stream / 18[.]210[.]126[.]40 ).\r\nIn Summary\r\nThe first attacks in containers involved running a simple mining command or an unsophisticated attempt to break\r\nout of the container to the host. Now, for the first time, we see a fileless attack in a container, using rootkit to hide\r\ntraces, stealthily mining cryptocurrency, and opening a backdoor to the attackers.\r\nThese new and daring attacks emphasize the importance of putting better and stronger solutions in the defender’s\r\ntoolbox. Below are a few recommendations, when practiced together, they can assist you against these kinds of\r\nattacks:\r\n1. Scan all images that you use, make sure you are familiar with them and their use, use minimal privileges,\r\nsuch as avoiding root user and privileged mode. Use a static vulnerability scanner such as Trivy (open\r\nsource).\r\n2. Use Tracee (open source) to detect suspicious or abnormal processes running in your environment, and\r\ndynamically scan using DTA to safely discover malware in images before deploying.\r\n3. Investigate logs, mostly around user actions, and look for anomalous actions.\r\n4. Form a security strategy to better enforce your policies and consider using advanced cloud security tools\r\nto improve security coverage.\r\nMITRE ATT\u0026CK Framework\r\nhttps://blog.aquasec.com/fileless-malware-container-security\r\nPage 4 of 6\n\nIndications of Compromise (IOCs)\r\nContainer Images\r\nlifengyi1323/simple:latest\r\nlifengyi1323/speedrun:latest\r\nlifengyi1323/monkey:latest\r\nlifengyi1323/bindoc:latest\r\nlifengyi1323/kubeconfig:latest\r\nlifengyi1323/traband:latest\r\nBinaries\r\nThe file ‘usr/bin/xmrig’ (MD5= 5888e17810aa1846c0c013804e181624) was detected in container image\r\n‘lifengyi1323/simple’\r\nThe in-memory file (MD5= e01d8a1656e41ec3b7de722424286ce9) was detected in runtime memory\r\nwhile running ‘lifengyi1323/simple’\r\nThe file ‘root/sbin’ (MD5= f42be0d5a0da02a4d6bfc95b62d1838e) was detected in container image\r\n‘lifengyi1323/bindoc’\r\nhttps://blog.aquasec.com/fileless-malware-container-security\r\nPage 5 of 6\n\nThe file ‘root/xmrig’ (MD5= 91a915ce774a9103c17e2786fb6d7424) was detected in container image\r\n‘lifengyi1323/kubeconfig’\r\nThe in-memory file (MD5= d180c45a49e3d338c4cd7fb1781453d7) was detected in runtime memory\r\nwhile running ‘lifengyi1323/kubeconfig’\r\nDomains / IP Addresses\r\nircbd[.]anondns[.]net\r\nirc[.]teamtnt[.]red\r\n164[.]68[.]106[.]96\r\nIdan is the Head of Security Research at Aqua Security. He manages a team of researchers who are focused on\r\nthreat hunting and vulnerability research in containers, serverless, and cloud native technologies.\r\nAssaf Morag\r\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence\r\nrelated to software development life cycle in cloud native environments, supports the team's data needs, and helps\r\nAqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research\r\nhas been featured in leading information security publications and journals worldwide, and he has presented at\r\nleading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE\r\nATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The\r\ncourse covers both theoretical concepts and practical applications, providing valuable insights into the unique\r\nchallenges and strategies associated with securing cloud-native infrastructures.\r\nSource: https://blog.aquasec.com/fileless-malware-container-security\r\nhttps://blog.aquasec.com/fileless-malware-container-security\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.aquasec.com/fileless-malware-container-security"
	],
	"report_names": [
		"fileless-malware-container-security"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434377,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f73917df793bd34ba6ffde21ab5169fc2f95d941.pdf",
		"text": "https://archive.orkl.eu/f73917df793bd34ba6ffde21ab5169fc2f95d941.txt",
		"img": "https://archive.orkl.eu/f73917df793bd34ba6ffde21ab5169fc2f95d941.jpg"
	}
}