Commando Cat cryptojacking attack targets Docker remote API servers

Commando Cat cryptojacking attack targets Docker remote API servers

Trend Micro's threat intelligence team has uncovered a sophisticated attack campaign targeting exposed Docker remote API servers to deploy cryptocurrency miners. Named “Commando Cat,” this campaign has been active since the beginning of 2024 and employs a series of steps to infiltrate systems and leverage their resources for mining digital currencies.

The attack is initiated by deploying benign containers generated using the Commando project, an open-source GitHub initiative designed to create Docker images on-demand for developers. The attackers utilize cmd.cat, a service associated with Commando, to deploy a seemingly harmless Docker image (cmd.cat/chattr).

Upon deployment, the threat actors exploit the cmd.cat/chattr container to create a new Docker container. Using the chroot command, they manage to escape the container's environment and gain access to the host operating system. This allows the attackers to perform further actions on the compromised system, including downloading a malicious binary via curl or wget.

Once the binary is in place, the threat actors proceed to establish control and deploy cryptocurrency mining software. The presence of the malware can be identified through several indicators, such as specific User-Agent strings and the use of DropBear SSH on TCP port 3022 are key signs of this malicious activity.


Back to the list

Latest Posts

Cyber Security Week in Review: June 13, 2025

Cyber Security Week in Review: June 13, 2025

In brief: Microsoft fixes zero-day exploited by the Stealth Falcon APT, the Graphite spyware targets journalists via an iMessage exploit, and more.
13 June 2025
Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

The campaign, first observed on June 5, involves brute-force login attempts originating from hundreds of unique IP addresses.
12 June 2025
ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025