Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 327, Issue 3IT Vendor NewsTrend Micro

Uncovering A Tor-Enabled Docker Exploit

Trend Micro, Wednesday, June 18th, 2025

A recent attack campaign took advantage of exposed Docker Remote APIs and used the Tor network to deploy a stealthy cryptocurrency miner. This blog breaks down the attack chain.

Cybercriminals have developed a clever new attack that combines Docker's remote API with the Tor anonymity network to secretly mine cryptocurrency on victim systems.

Attackers are exploiting misconfigured Docker APIs to gain access to containerized environments, then using Tor to mask their activities while deploying crypto miners. Notably, we observed the use of zstd, a tool based on the ZStandard algorithm known for its strong compression ratio and fast decompression speed.

Any organization using containerized applications is potentially vulnerable, but we're seeing particular activity targeting cloud-heavy sectors like technology companies, financial services, and healthcare organizations.

Trend Vision One detects and blocks the IOCs discussed in this blog. Trend Vision One also provides hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on this attack.

more →  ·  More from Trend Micro →