Self-Spreading Malware Turns Docker into Dero Botnet

A newly discovered malware strain is targeting misconfigured Docker API endpoints, transforming exposed containers into nodes of a growing botnet used to mine Dero cryptocurrency. The campaign is distinguished by its self-propagating, worm-like behavior, allowing the malware to autonomously spread to other vulnerable Docker instances without requiring manual intervention.

Security researchers at Kaspersky observed the activity and noted that the malware’s ability to replicate across containers significantly amplifies the threat, making it more difficult to contain. Once a container is infected, it is co-opted into a decentralized network designed to generate profit through unauthorized cryptocurrency mining operations.

The attacks exploit publicly accessible Docker APIs, underscoring the risks of leaving container environments improperly secured. Dero, a privacy-focused cryptocurrency, is favored by threat actors for its anonymity features, which complicate efforts to trace illicit gains. The scope and origin of the campaign remain unknown, but the self-spreading nature suggests a deliberate effort to expand rapidly across cloud infrastructure.