I’m thrilled to sit down with Rupert Marais, our in-house security specialist with extensive expertise in endpoint and device security, cybersecurity strategies, and network management. Today, we’re diving into the evolving landscape of cyber threats, focusing on a newly discovered TOR-based cryptojacking attack targeting Docker APIs and a separate campaign abusing AWS SES for phishing. Our conversation explores how these sophisticated attacks operate, the innovative tactics cybercriminals are using to stay hidden, the potential future risks they pose, and critical steps organizations can take to protect themselves in an increasingly complex digital environment.
Can you walk us through the mechanics of this new TOR-based cryptojacking attack targeting Docker APIs?
Absolutely, Russell. This attack starts with attackers exploiting misconfigured Docker APIs, which are often left exposed on the internet without proper security controls. Once they gain access, they create a new container using the Alpine Docker image and mount the host file system into it. This gives them a foothold to execute malicious payloads, like downloading scripts from hidden .onion domains via the TOR network. From there, they install tools to scan for other vulnerable systems and deploy cryptocurrency miners, while also setting up persistence mechanisms to maintain access.
What sets this attack apart from earlier cryptojacking campaigns targeting Docker instances?
Compared to previous campaigns, like the one reported a few months back in June 2025, this variant seems to have a broader endgame. While the core tactic of deploying an XMRig miner remains, the attackers are using similar but updated tooling and appear to be laying the groundwork for a potential botnet. This shift in intent raises the stakes, as a botnet could be used for more destructive activities beyond mining, like launching DDoS attacks or stealing sensitive data.
How does the TOR network play a role in keeping this attack under wraps?
The TOR network is crucial for the attackers’ anonymity. By using .onion domains to download scripts and binaries, they hide their infrastructure from traditional monitoring tools. This setup makes it incredibly hard for security teams to trace the origin of the attack or block the malicious traffic, as TOR encrypts and routes communications through multiple layers, effectively shielding the attackers’ command-and-control servers.
Can you explain what happens after the attackers set up a new container in the compromised system?
Once the container is up and running, they leverage the host file system to gain deeper access to the infected machine. They then download a Base64-encoded payload, typically a shell script from a .onion domain, which acts as a downloader for additional malicious components. This payload often includes a cryptocurrency miner, but it also installs tools for reconnaissance and propagation, enabling the attackers to spread the infection to other vulnerable systems.
The attack involves installing tools like Masscan and torsocks. What’s their purpose in this scheme?
Masscan is a high-speed scanning tool that attackers use to scour the internet for other exposed Docker API services, typically on port 2375. It helps them identify new targets to propagate the infection. Torsocks, on the other hand, allows the malware to communicate with the command-and-control server over the TOR network, masking the traffic and making it difficult for defenders to intercept or block the communication.
There’s mention of the malware scanning for ports like 23 for Telnet and 9222 for Chromium debugging. Why are these ports significant?
These ports indicate the attackers’ potential future plans. Port 23, used for Telnet, is often targeted on routers or IoT devices with weak or default credentials, allowing attackers to brute-force their way in and possibly exfiltrate login details. Port 9222, associated with remote debugging for Chromium browsers, could be exploited to access active browser sessions, steal cookies, or extract sensitive data. While these capabilities aren’t fully active in this campaign, their presence in the code suggests the attackers might be preparing for more advanced attacks down the line.
Switching gears, let’s talk about the AWS SES abuse campaign for phishing. How are attackers exploiting this service?
In this campaign, attackers use compromised AWS access keys to infiltrate a victim’s environment and manipulate the Simple Email Service, or SES. They bypass built-in restrictions, verify new sender identities, and send out mass phishing emails that appear legitimate because they come from trusted domains. These emails often use lures like tax-related scams to trick recipients into visiting credential-harvesting sites, posing a significant risk to both individuals and organizations.
What can organizations do to safeguard against threats like these, whether it’s cryptojacking via Docker APIs or phishing through cloud services?
The key is adopting a layered security approach. For Docker APIs, organizations must ensure they’re not exposed to the internet and are properly configured with strong access controls. Network segmentation can limit the damage if a breach occurs. For cloud services like AWS SES, securing access keys is critical—avoid storing them in public repositories and use multi-factor authentication wherever possible. Regular monitoring for unusual activity and educating employees about phishing tactics are also essential to reduce the risk of falling victim to these attacks.
Looking ahead, what’s your forecast for the evolution of cryptojacking and cloud-based attacks in the coming years?
I expect these threats to become even more sophisticated. With cryptojacking, we’re likely to see attackers integrating more multi-purpose malware, turning infected systems into parts of larger botnets for various malicious activities beyond mining. As for cloud-based attacks, the abuse of services like AWS SES will probably grow as more businesses migrate to the cloud, providing attackers with a larger attack surface. We’ll need to stay proactive with security measures, leveraging AI-driven threat detection and emphasizing zero-trust architectures to keep pace with these evolving risks.
