New Malware Hijacking Docker Images with Unique Obfuscation Technique

A newly discovered malware campaign is targeting Docker environments, employing a sophisticated, multi-layered obfuscation technique to evade detection and hijack compute resources for cryptojacking.

Security researchers from Darktrace and Cado Security Labs have analyzed this campaign, revealing both the technical ingenuity of the attackers and the growing risks facing containerized infrastructure.

Docker: A Prime Target for Malware

Docker, the leading containerization platform, is increasingly targeted by cybercriminals due to its widespread adoption and the ease with which containers can be deployed from public registries.

Attackers exploit misconfigured or exposed Docker services to launch malicious containers, often using images hosted on Docker Hub.

The campaign begins with a request to run a container from Docker Hub, specifically the kazutod/tene:ten image.

This container is designed to execute a Python script, ten.py, which is embedded within the image layers. Security analysts used Docker’s built-in tools to extract and analyze the image, uncovering a complex obfuscation scheme.

The obfuscation works as follows:

• The ten.py script defines a lambda function that reverses a base64-encoded string, decodes it, decompresses it using zlib, and then executes the resulting code.
• This process is recursively repeated: the decoded payload calls the same decode function again, each time passing a new obfuscated string.
• Analysts found it took 63 iterations of this decoding loop to finally reveal the actual malicious code.

This deep layering of obfuscation is unusual. While a single round of obfuscation is typically sufficient to bypass signature-based detection, the attacker’s use of dozens of layers appears aimed at frustrating human analysts and automated tools alike.

Despite the effort, researchers were able to automate the de-obfuscation process and extract the final payload within minutes.

A New Approach to Cryptojacking

Unlike traditional cryptojacking malware, which deploys tools like XMRig to mine cryptocurrency directly, this campaign leverages a novel approach.

The de-obfuscated code connects to teneo.pro, a legitimate Web3 startup that operates a decentralized social media data network.

By running a node and sending continuous “keep-alive” pings, the malware earns “Teneo Points”—private crypto tokens awarded for uptime and activity on the network.

Notably, the malware does not perform any actual data scraping, as the legitimate node software would. Instead, it simply simulates activity to maximize token rewards.

This method allows attackers to profit without triggering the high resource usage or network anomalies typical of traditional mining operations.

According to the Report, this campaign highlights a broader trend: attackers are shifting from well-known mining tools, which are easily detected, to abusing legitimate decentralized platforms and reward systems.

The closed nature of these private tokens makes it difficult to track or quantify the attackers’ profits.

Security experts emphasize that Docker environments remain highly attractive targets and urge organizations to:

• Avoid exposing Docker services to the internet unless absolutely necessary.
• Use strong authentication and firewalls to restrict access.
• Regularly audit and monitor container activity for anomalies.
• Pull images only from trusted sources and scan them for malware.

As attackers continue to innovate, defenders must stay vigilant and adapt their security practices to protect containerized infrastructure from increasingly sophisticated threats.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy