New Malware Targets Docker to Earn Crypto via Web3 Platform

-




Cybersecurity experts have uncovered a unique malware campaign designed to exploit Docker environments for cryptocurrency gains. Unlike traditional cryptojacking operations that use tools like XMRig to mine crypto directly, this campaign takes a more subtle approach.

The malware, analyzed by Darktrace and Cado Security, interacts with a decentralized Web3 platform called Teneo. This service rewards users with Teneo Points—convertible to $TENEO tokens—for running a Community Node that collects public social media data. These nodes extract content from platforms like Facebook, Reddit, TikTok, and X (formerly Twitter).

Investigators found the malware in a Docker container image named "kazutod/tene:ten", hosted on Docker Hub. Despite being uploaded only two months ago, the image had already seen over 300 downloads before it was taken down. Inside, it contained a highly obfuscated Python script that had to be unpacked through more than 60 decoding stages before executing its main function: connecting to the teneo[.]pro domain via WebSocket.

Interestingly, the script doesn’t actually scrape data. Instead, it sends frequent keep-alive signals—likely to maximize reward points on the platform, which are based on uptime and activity rather than output.


This method mirrors past tactics like the 9Hits Viewer malware, which abused misconfigured Docker setups to drive artificial web traffic. It also resembles proxyjacking—a scheme where attackers earn rewards by sharing victims' unused internet bandwidth.

With traditional cryptojacking tools like XMRig being easier to detect, attackers seem to be experimenting with stealthier, reward-based alternatives. Whether this new method proves more lucrative remains to be seen.

In related news, Fortinet researchers have spotted a botnet called RustoBot, spreading through vulnerabilities in TOTOLINK and DrayTek routers. This botnet appears to focus on launching DDoS attacks, particularly targeting technology firms in Japan, Taiwan, Vietnam, and Mexico.

As attackers increasingly exploit weakly secured network devices, experts emphasize the need for stronger endpoint protection and authentication to prevent such threats.

Reference:

https://thehackernews.com/2025/04/docker-malware-exploits-teneo-web3-node.html

Comments

Post a Comment

Popular posts from this blog

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more