WatchDog Hacking Group

A new cryptojacking campaign has been started by the WatchDog hacker group. This malicious cryptojacking campaign consists of the following elements:-

  • Advanced techniques for intrusion
  • Worm-like propagation
  • Evasion of security software

In addition, the group has the ability to pivot from one compromised machine to an entire network in just a matter of moments and can target exposed Docker Engine API endpoints and exposed Redis servers.

Using the computational resources of poorly secured servers, the threat actors aim to generate profit through the mining of cryptocurrencies.

It has been reported that researchers at Cado Labs saw an escalation in hacking activity using distinctive tactics employed by the threat actor, and attributed it to WatchDog.

Attack Lifecycle

Using an open port 2375, WatchDog exploits misconfigured Docker Engine API endpoints in order to launch the attacks. Once the daemon is injected they can access any other daemon that is connected to the port.

It’s then possible for WatchDog to list or modify containers and run any arbitrary shell commands on those containers from there.

Using a command hijacking technique, this script uses the ps command to run a shell script to hide the contents of the process. Furthermore, it is able to mislead forensic experts by manipulating logs from shell executions in order to alter the timestamps.

On the compromised machine, a mining payload called XMRig is dropped, and a systemd service for persistence is added. It is imperative that the account that the hackers are using has root privileges in order for all of this to occur.

As part of the third-stage payload, the following elements were included: 

  • zgrab
  • masscan
  • pnscan 

In order to find valid pivoting points in the network and to download the final two scripts (“” and “”) responsible for propagating the algorithms, these three elements are used.


Several of WatchDog’s scripts include references to TeamTNT, a hacking group that WatchDog does not mention in its script. As a result of this, WatchDog appears to have stolen these tools from TeamTNT.

Cado highlights several areas where WatchDog’s campaign for 2021 has strong correlations with the current one. This is because the operators for mining Monero use the same wallet address for storing Monero.

Apart from this, Cado Security’s unique attribution data-enabled Cado Security to conclude that the actors avoided using Golang payloads, and it’s another attribution clue that has been provided.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.