Monday, May 12, 2025
HomeBotnetHackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Published on

SIEM as a Service

Follow Us on Google News

Attackers are exploiting publicly exposed Docker Remote API servers to deploy Gafgyt malware by creating a Docker container using a legitimate “alpine” image to deploy the malware and infect the victim system with Gafgyt botnet malware

It allows attackers to launch DDoS attacks on targeted servers, as this shift in the Gafgyt malware’s target range from IoT devices to Docker servers highlights the growing threat of cyberattacks targeting exposed infrastructure. 

Container create request along with botnet deployment

An attacker exploited a vulnerability by creating a Docker container with the Alpine image and mounting the host’s root directory to the container’s /mnt directory, which allowed the attacker to elevate privileges and gain control over the host system. 

- Advertisement - Google News

They then downloaded and executed the Gafgyt botnet binary, “rbot,” which contained hardcoded command-and-control server information, enabling remote control of the compromised system. 

C&C server address

The malicious bot, upon successful communication with the C2C&C server, initiates a multifaceted DDoS attack leveraging UDP, TCP, and HTTP protocols. Concurrently, it attempts to deploy a new botnet binary, “atlas.i586,” on the compromised system.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

This deployment strategy involves exploiting elevated privileges through chroot and bind commands, while the specific purpose of the “0day” argument remains unclear, though it’s speculated to be a configuration parameter for the botnet’s operation.

Container create request along with another botnet binary deployment

Different DDoS attack protocols, such as UDP, ICMP, HTTP, and SYN, are utilized by the bot, which is controlled by a command and control server, in order to disrupt target systems. 

To identify the victim’s local IP address, it queries Google’s DNS server (8.8.8.8) and extracts the source IP from the socket used for the query, which is then used to tailor the DDoS attacks, potentially making them more effective and harder to trace.

The attacker attempts to deploy a Gafgyt botnet variant after a failed container deployment by exploiting a vulnerability during Docker container creation to run a shell script named “cve.sh.” 

Contents of cve.sh shell script

It retrieves botnet binaries for different architectures from the attacker’s C&C server, as the downloaded binaries all share a hardcoded command and control server address, indicating a coordinated botnet attack. 

According to Trend Micro, to safeguard Docker Remote API servers, enforce robust access controls and authentication and proactively monitor for anomalies and swiftly respond to suspicious activity. 

Prioritize container security by avoiding privileged mode and scrutinizing images and configurations. Empower personnel with security awareness training and stay updated on security patches. 

Make sure that security policies and procedures are constantly being reviewed and improved so that they remain in line with industry standards.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection

Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...