Hackers Exploit Docker APIs Using Tor, Build Self-Propagating Botnet

Cybersecurity researchers have discovered a sophisticated new attack campaign exploiting exposed Docker APIs and hiding its tracks through the Tor network.

The attack, first flagged by Trend Micro and further analyzed by Akamai, highlights a significant development from previous cryptomining malware. This new campaign installs persistent malware, takes control of compromised Docker hosts, and even blocks administrators from regaining access.

How the Tor Attack Works

The attackers scan the internet for unprotected Docker APIs running on port 2375. Once they find a target, they deploy a modified Alpine Linux container that installs key utilities such as curl and tor. The container then launches a Tor daemon and verifies connectivity by pinging an IP service through a SOCKS5 proxy.

After connecting, it downloads a second-stage shell script called docker-init.sh, which adds the attacker’s SSH key to the host’s root account and creates a cron job that blocks further external access to the vulnerable port every minute.

This move effectively locks out administrators while maintaining persistent attacker access. The malware also downloads tools like masscan, zstd, libpcap, and torsocks to enable further scanning and propagation. A Go-based binary is then retrieved, decompressed, and executed, which unpacks an additional malicious payload and scans for logged-in users.

A Growing, Self-Spreading Botnet

Once active, the malware begins scanning for other vulnerable Docker APIs, spreading itself to new targets in botnet-like fashion. It also removes containers deployed by competing attackers, consolidating control of infected systems. Researchers found dormant code within the malware that could enable Telnet exploitation, Chrome session hijacking, and even distributed denial-of-service (DDoS) attacks in the future, indicating that this campaign may just be the beginning of a much larger botnet operation.

The exposed Docker API attack is a serious warning for enterprises running containerized infrastructure. By leveraging Tor, the attackers mask their identities and make attribution far more difficult.

Security experts urge administrators to immediately secure Docker APIs by disabling remote access on public networks, enforcing least privilege policies, and actively monitoring for suspicious activity or new administrator accounts.

As containerization becomes the backbone of modern cloud computing, attacks like this highlight the urgent need for stronger security practices. Left unchecked, campaigns like this could compromise critical workloads and enable large-scale botnets capable of launching devastating attacks.