Kaspersky has uncovered a Dero cryptominer campaign that is spreading through open container environments. Cybersecurity experts have identified a sophisticated attack targeting containerized infrastructures.
A hidden cryptomining threat in containers
Attackers exploit the exposure of Docker APIs to inject two types of malware into the system. One of them is the Dero cryptominer, and the other is the malware that enables the attack to spread.
In 2025, an average of 485 Docker API default ports are insecurely open every month worldwide. This gives cyberattackers access to a wide target surface. Attackers who gain access to exposed Docker APIs either hijack existing containers or create new malicious containers based on Ubuntu.
Google will let you try on clothes with its new AI feature. This development has made users very happy. Here are the details.
The “cloud” malware injected into the hijacked containers performs Dero mining, while the other malware called “nginx” provides persistence and can automatically scan new targets and spread the infection.
These malware scan the Internet independently without the need for Command and Control (C2) servers and spread through the containers they infect. Kaspersky experts state that each infected container acts as a new attack source, and therefore infections can increase rapidly. The critical role containers play in software development and distribution makes these attacks particularly dangerous.
It was found that the attackers directly disguised the names “nginx” and “cloud” as binary code inside the malicious file, thus making the malware appear as a legitimate tool. This method aims to mislead both automated security systems and analysts.
Kaspersky recommends that organizations using Docker APIs immediately review their security measures. It is particularly emphasized that Docker APIs should not be left unnecessarily exposed and should be protected with TLS if necessary. It is also recommended to detect ongoing or previously unnoticed attacks with Kaspersky’s Security Breach Assessment service.
It is stated that risks in container infrastructures can negatively affect business processes and that special security solutions are needed. Kaspersky Container Security solution offers protection both in the development phase and in the runtime process. This solution allows only trusted containers to run and ensures security by monitoring applications and the network.
Kaspersky also provides comprehensive support from threat detection to continuous protection and incident management with Managed Detection and Response (MDR) and Incident Response services. These services provide protection against sneaky attacks and fill the gap in cybersecurity personnel in organizations.
