Commando Cat cryptojacking attack targets Docker remote API servers

Commando Cat cryptojacking attack targets Docker remote API servers

Trend Micro's threat intelligence team has uncovered a sophisticated attack campaign targeting exposed Docker remote API servers to deploy cryptocurrency miners. Named “Commando Cat,” this campaign has been active since the beginning of 2024 and employs a series of steps to infiltrate systems and leverage their resources for mining digital currencies.

The attack is initiated by deploying benign containers generated using the Commando project, an open-source GitHub initiative designed to create Docker images on-demand for developers. The attackers utilize cmd.cat, a service associated with Commando, to deploy a seemingly harmless Docker image (cmd.cat/chattr).

Upon deployment, the threat actors exploit the cmd.cat/chattr container to create a new Docker container. Using the chroot command, they manage to escape the container's environment and gain access to the host operating system. This allows the attackers to perform further actions on the compromised system, including downloading a malicious binary via curl or wget.

Once the binary is in place, the threat actors proceed to establish control and deploy cryptocurrency mining software. The presence of the malware can be identified through several indicators, such as specific User-Agent strings and the use of DropBear SSH on TCP port 3022 are key signs of this malicious activity.


Back to the list

Latest Posts

US agencies warn of rising cyber threats from Iran-linked hackers

US agencies warn of rising cyber threats from Iran-linked hackers

Recent months have seen a notable uptick in activity from Iranian-linked hacktivists and government-affiliated threat groups.
1 July 2025
Google rolls out urgent Chrome security patch for active zero-day

Google rolls out urgent Chrome security patch for active zero-day

The flaw, tracked as CVE-2025-6554, is described as a type confusion bug in Chrome's V8 JavaScript and WebAssembly engine.
1 July 2025
Canada bans Chinese surveillance firm Hikvision over national security concerns

Canada bans Chinese surveillance firm Hikvision over national security concerns

From now on, all federal departments, agencies, and Crown corporations are prohibited from purchasing Hikvision products.
1 July 2025