Tech
Share this article

Privacy Crypto Dero Targeted With New Self-Spreading Malware

The malware spread like a worm and spawned malicious containers after infecting fresh devices.

By Shaurya Malwa|Edited by Stephen Alpher
May 28, 2025, 1:11 p.m.
A hooded figure sits typing on a laptop in a darkened (Pixabay)

What to know:

  • A new Linux malware campaign is targeting unsecured Docker infrastructure to create a cryptojacking network mining Dero.
  • The attack exploits exposed Docker APIs on port 2375, using malicious containers to mine cryptocurrency and spread without a central server.
  • Kaspersky reports that the malware uses Golang-based implants and encrypts data to avoid detection, indicating an evolution of previous cryptojacking operations.

A newly discovered Linux malware campaign is compromising unsecured Docker infrastructure worldwide, turning exposed servers into part of a decentralized cryptojacking network that mines the privacy coin Dero DERO$0.2537.

STORY CONTINUES BELOW
Don't miss another story.Subscribe to the The Protocol Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms & conditions and privacy policy.

According to a report by cybersecurity firm Kaspersky, the attack begins by exploiting publicly exposed Docker APIs over port 2375. Once access is gained, the malware spawns malicious containers. It infects already-running ones, siphoning system resources to mine Dero and scan for additional targets without requiring a central command server.

In software terms, a docker is a set of applications or platform tool and products that use OS-level virtualization to deliver software in small packages called containers.

The threat actor behind the operation deployed two Golang-based implants: one named “nginx” (a deliberate attempt to masquerade as the legitimate web server software), and another called “cloud,” which is the actual mining software used to generate Dero.

Once a host was compromised, the nginx module continuously scanned the internet for more vulnerable Docker nodes, using tools like Masscan to identify targets and deploy new infected containers.

“The entire campaign behaves like a zombie container outbreak,” researchers wrote. “One infected node autonomously creates new zombies to mine Dero and spread further. No external control is needed — just more misconfigured Docker endpoints.”

To avoid detection, it encrypts configuration data, including wallet addresses and Dero node endpoints, and hides itself under paths typically used by legitimate system software.

Kaspersky identified the same wallet and node infrastructure used in earlier cryptojacking campaigns that targeted Kubernetes clusters in 2023 and 2024, indicating an evolution of a known operation rather than a brand-new threat.

In this case, however, the use of self-spreading worm logic and the absence of a central command server make it especially resilient and harder to shut down.

As of early May, over 520 Docker APIs were publicly exposed over port 2375 worldwide — each one a potential target.

More For You

Pudgy Penguins: A New Blueprint for Tokenized Culture

By CoinDesk Research
Dec 30, 2025
logo
Commissioned byPudgy Penguins
Pudgy Title Image

Pudgy Penguins is building a multi-vertical consumer IP platform — combining phygital products, games, NFTs and PENGU to monetize culture at scale.

What to know:

Pudgy Penguins is emerging as one of the strongest NFT-native brands of this cycle, shifting from speculative “digital luxury goods” into a multi-vertical consumer IP platform. Its strategy is to acquire users through mainstream channels first; toys, retail partnerships and viral media, then onboard them into Web3 through games, NFTs and the PENGU token.

The ecosystem now spans phygital products (> $13M retail sales and >1M units sold), games and experiences (Pudgy Party surpassed 500k downloads in two weeks), and a widely distributed token (airdropped to 6M+ wallets). While the market is currently pricing Pudgy at a premium relative to traditional IP peers, sustained success depends on execution across retail expansion, gaming adoption and deeper token utility.

View Full Report

More For You

Deus X CEO Tim Grant: We aren't replacing finance; we're integrating it

By Will Canny|Edited by Nikhilesh De
Jan 26, 2026
Deus X CEO Tim Grant (Deus X)

The Deus X CEO discussed his journey into digital assets, the company's infrastructure-led growth strategy, and why his Consensus Hong Kong panel promises "real talk only."

What to know:

  • Tim Grant entered crypto in 2015 after early exposure to Ripple and Coinbase, drawn by blockchain’s ability to improve traditional finance rather than replace it.
  • Deus X combines investing and operating to build regulated digital finance infrastructure across payments, prime services, and institutional DeFi.
  • Grant will be speaking at Consensus Hong Kong in February.
Read full story