Monday, May 5, 2025
Homecyber securityNew Malware Hijacks Docker Images Using Unique Obfuscation Technique

New Malware Hijacks Docker Images Using Unique Obfuscation Technique

Published on

SIEM as a Service

Follow Us on Google News

A recently uncovered malware campaign targeting Docker, one of the most frequently attacked services according to Darktrace’s honeypot data, has revealed a startling level of sophistication in obfuscation and cryptojacking methods.

This novel attack begins with a seemingly innocuous request to launch a container from Docker Hub, specifically the kazutod/tene:ten image.

Sophisticated Attack Targets Docker Hub with Advanced Payload Hiding

By leveraging Docker’s built-in tools to pull and extract the image layers, analysts discovered that the container executes a Python script named ten.py.

- Advertisement - Google News
Docker Images
Use of Cyberchef to decode the ten.py script.

What sets this campaign apart is the intricate obfuscation technique used to conceal the malicious payload within this script.

The script employs a multi-layered approach, utilizing a lambda function to reverse a base64-encoded string, decode it, and decompress it via zlib before executing the result as Python code.

This process repeats over 63 iterations, a deliberate tactic that likely aims to thwart signature-based detection and frustrate reverse-engineering efforts by analysts.

Cryptojacking Evolves with Decentralized Network Exploitation

Delving deeper into the de-obfuscated code, the malware’s intent becomes clear: it establishes a connection to teneo[.]pro, a legitimate Web3 startup focused on decentralized data networks.

Teneo incentivizes users to join its network with “Teneo Points,” a private crypto token, in exchange for running nodes that scrape social media data.

Docker Images
Extraction of the resulting tar file.

However, this malware exploits the system by connecting via a websocket and sending keep-alive pings without performing any scraping, illicitly accumulating points based on heartbeat counts.

This represents a shift from traditional cryptojacking tools like XMRig, which directly mine cryptocurrencies and are widely detected by security systems.

Instead, attackers are now hijacking legitimate decentralized platforms for profit, a trend also evident in the attacker’s Docker Hub profile, where similar containers execute clients for other distributed networks like Nexus.

The profitability of this method remains uncertain due to the opaque nature of private tokens and the lack of public pricing data, as seen with Teneo’s token listed as “preview only” on CoinGecko.

According to the Report, this campaign underscores the persistent evolution of malware tactics, particularly in the realm of obfuscation and cryptojacking.

The excessive layering of encoded payloads, while seemingly unnecessary for bypassing detection, highlights the lengths to which threat actors will go to protect their code from scrutiny.

For system administrators, this serves as a critical reminder of Docker’s vulnerability as a prime target.

Exposing Docker services to the internet without robust authentication and firewall protections is a recipe for compromise, as attacks occur with alarming frequency. Even brief exposure can lead to significant breaches.

As attackers continue to innovate by abusing legitimate tools for illicit gain, the need for advanced detection mechanisms and proactive security measures has never been more urgent.

This case not only illustrates the importance of de-obfuscation skills for analysts but also signals a broader shift in the cyberthreat landscape, where traditional attack vectors are replaced by insidious, covert strategies.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...