A new cryptojacking campaign is targeting Docker environments using a creative method to mine private crypto tokens. Instead of traditional tools like XMRig, the attackers connect to teneo.pro, a Web3 startup, and exploit its reward system by sending fake activity signals, Infosecurity Magazine reports. This approach lets the attacker earn tokens without contributing data or resources, marking a shift toward less detectable and indirect crypto mining methods.Researchers from Darktrace and Cado Security Labs found that the malware is delivered through a Docker container, which runs a built-in script called
ten.py. Once launched, this script executes an obfuscated Python payload that researchers had to decode through multiple layers of string manipulation. This technique is consistent with broader malware trends that rely on obfuscation to evade detection and complicate analysis.The attacker behind this campaign has a history of similar activity, having previously used Docker containers to run clients for other distributed computing projects in exchange for cryptocurrency. This evolving tactic reflects how threat actors are leveraging legitimate decentralized platforms to quietly extract value.Security experts recommend minimizing Docker’s exposure to the internet and enforcing strict access controls. Given the growing number of container-based attacks, organizations should review their Docker configurations, apply firewalls, and authenticate all access to reduce the risk of compromise.
