A recently uncovered malware campaign targeting Docker, one of the most frequently attacked services according to Darktrace’s honeypot data, has revealed a startling level of sophistication in obfuscation and cryptojacking methods.
This novel attack begins with a seemingly innocuous request to launch a container from Docker Hub, specifically the kazutod/tene:ten image.
By leveraging Docker’s built-in tools to pull and extract the image layers, analysts discovered that the container executes a Python script named ten.py.
What sets this campaign apart is the intricate obfuscation technique used to conceal the malicious payload within this script.
The script employs a multi-layered approach, utilizing a lambda function to reverse a base64-encoded string, decode it, and decompress it via zlib before executing the result as Python code.
This process repeats over 63 iterations, a deliberate tactic that likely aims to thwart signature-based detection and frustrate reverse-engineering efforts by analysts.
Delving deeper into the de-obfuscated code, the malware’s intent becomes clear: it establishes a connection to teneo[.]pro, a legitimate Web3 startup focused on decentralized data networks.
Teneo incentivizes users to join its network with “Teneo Points,” a private crypto token, in exchange for running nodes that scrape social media data.
However, this malware exploits the system by connecting via a websocket and sending keep-alive pings without performing any scraping, illicitly accumulating points based on heartbeat counts.
This represents a shift from traditional cryptojacking tools like XMRig, which directly mine cryptocurrencies and are widely detected by security systems.
Instead, attackers are now hijacking legitimate decentralized platforms for profit, a trend also evident in the attacker’s Docker Hub profile, where similar containers execute clients for other distributed networks like Nexus.
The profitability of this method remains uncertain due to the opaque nature of private tokens and the lack of public pricing data, as seen with Teneo’s token listed as “preview only” on CoinGecko.
According to the Report, this campaign underscores the persistent evolution of malware tactics, particularly in the realm of obfuscation and cryptojacking.
The excessive layering of encoded payloads, while seemingly unnecessary for bypassing detection, highlights the lengths to which threat actors will go to protect their code from scrutiny.
For system administrators, this serves as a critical reminder of Docker’s vulnerability as a prime target.
Exposing Docker services to the internet without robust authentication and firewall protections is a recipe for compromise, as attacks occur with alarming frequency. Even brief exposure can lead to significant breaches.
As attackers continue to innovate by abusing legitimate tools for illicit gain, the need for advanced detection mechanisms and proactive security measures has never been more urgent.
This case not only illustrates the importance of de-obfuscation skills for analysts but also signals a broader shift in the cyberthreat landscape, where traditional attack vectors are replaced by insidious, covert strategies.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…