TechFlow, May 29 — According to Coindesk, a new Linux malware is attacking unprotected Docker infrastructures worldwide, turning exposed servers into nodes on Dero's decentralized mining network. The malware exploits publicly exposed Docker APIs via port 2375, deploying two Golang-based implants: one disguised as the legitimate web server software "nginx," and another named "cloud" dedicated to mining.
Once infected, nodes autonomously scan the internet for new targets and deploy infected containers without requiring a central command server. As of early May, over 520 Docker APIs globally were publicly exposed via port 2375, making them potential attack targets. Research indicates that the wallet and node infrastructure used in this campaign match those previously seen in attacks against Kubernetes clusters in 2023 and 2024.




