Hackers Deploy Advanced Botnet Over Exposed Docker APIs via Tor (2025)
Executive Summary
In September 2025, a sophisticated threat campaign was uncovered targeting exposed Docker APIs, where attackers leveraged the Tor network to obfuscate their activities and deploy a new, evolving botnet. The attackers used automated scanning to discover open Docker API endpoints (commonly on port 2375), then executed a multi-stage infection chain utilizing malicious containers. These payloads established persistent SSH access, blocked further exploitation by others, and launched additional tools for internal scanning, lateral movement, and covert communication. While earlier versions dropped cryptominers, the updated tooling focused on botnet expansion, user monitoring, and groundwork for additional attacks such as credential theft or DDoS.
This incident exemplifies the rapid shift toward automation and stealth in cloud-native threats. Its relevance is underscored by the proliferation of misconfigured APIs and cloud workloads, combined with attackers’ increasing use of anonymizing networks (like Tor) and multi-vector attacks. Organizations with exposed or poorly secured container environments are urgently at risk.
Why This Matters Now
The Docker API attack demonstrates how rapidly threat actors exploit misconfigurations in modern cloud and DevOps environments, using automated multi-stage malware and network anonymization to evade detection. Immediate action is needed to secure container APIs and monitor for anomalous behaviors, as similar botnet campaigns are accelerating in both scale and sophistication.
Attack Path Analysis
Attackers scanned for exposed Docker API endpoints and gained unauthorized access to vulnerable hosts by creating rogue containers. On compromise, they achieved persistent access by installing an SSH key and automated scripts, then escalated control over the host. The adversary moved laterally by scanning for additional exposed Docker APIs and infecting new nodes using self-propagation methods. They established covert command and control over Tor, using encrypted channels to transfer additional payloads and maintain communication. While direct data exfiltration was not observed, tools for scanning, mass data movement, and user enumeration were deployed. Impact activities included disabling access to Docker APIs, removing competitor containers, and enabling botnet expansion as groundwork for future attacks.
Kill Chain Progression
Initial Compromise
Description
Attackers identified and accessed exposed Docker API ports (2375) on cloud hosts, using them to deploy malicious containers via unauthorized requests.
Related CVEs
CVE-2025-9074
CVSS 9.3A vulnerability in Docker Desktop allows local Linux containers to access the Docker Engine API via the configured Docker subnet, potentially leading to unauthorized execution of privileged commands.
Affected Products:
Docker Inc. Docker Desktop – < 4.44.3
Exploit Status:
exploited in the wildCVE-2024-41110
CVSS 9.9A regression in Docker Engine's authorization mechanism allows attackers to bypass AuthZ plugins using specially crafted API requests, leading to unauthorized actions and potential privilege escalation.
Affected Products:
Docker Inc. Docker Engine – <= 19.03.15, <= 20.10.27, <= 23.0.14, <= 24.0.9, <= 25.0.5, <= 26.0.2, <= 26.1.4, <= 27.0.3, <= 27.1.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
User Execution: Malicious File
Command and Scripting Interpreter
Create Account: Local Account
Valid Accounts
Impair Defenses: Disable or Modify System Firewall
Remote Services: SSH
Proxy: Multi-hop Proxy
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Critical System Components from Unauthorized Access
Control ID: 1.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Art. 9(3)
CISA Zero Trust Maturity Model 2.0 – Enforce Identity and Authorization
Control ID: Identity Pillar - Policy Enforcement
NIS2 Directive – Technical and Organisational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Docker API exposure enables botnet infiltration, lateral movement, and persistent access through containerized infrastructure, requiring enhanced east-west traffic security and segmentation controls.
Computer Software/Engineering
Containerized applications face automated exploitation via exposed APIs, enabling cryptomining botnets and SSH persistence that compromise development and production environments significantly.
Financial Services
Docker API breaches enable botnet formation with dormant credential theft capabilities, threatening transaction systems and requiring compliance with PCI and HIPAA encryption standards.
Health Care / Life Sciences
Exposed container APIs allow persistent access and potential data exfiltration, violating HIPAA requirements for encrypted traffic and access controls in healthcare systems.
Sources
- Hackers hide behind Tor in exposed Docker API breacheshttps://www.bleepingcomputer.com/news/security/hackers-hide-behind-tor-in-exposed-docker-api-breaches/Verified
- A critical Docker Desktop security flaw puts Windows hosts at risk of attack, so patch nowhttps://www.techradar.com/pro/security/a-critical-docker-desktop-security-flaw-puts-windows-hosts-at-risk-of-attack-so-patch-nowVerified
- Docker Fixed an AuthZ Bypass Flaw Leading to Privilege Escalation: CVE-2024-41110https://socradar.io/blog/docker-fixed-an-authz-bypass-flaw-leading-to-privilege-escalation-cve-2024-41110/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
The attack chain exploited a lack of segmentation, egress controls, and east-west visibility within the cloud environment; applying CNSF controls, such as Zero Trust segmentation, east-west security, centralized visibility, and egress policy enforcement, would have blocked initial access, limited propagation, and detected covert communications.
Control: Zero Trust Segmentation
Mitigation: Unauthorized API access would be blocked at the network boundary.
Control: Kubernetes Security (AKF)
Mitigation: Privileged escalation attempts via container compromise can be detected and policy-enforced.
Control: East-West Traffic Security
Mitigation: Inter-workload scanning and propagation is observed and blocked.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous Tor-based C2 traffic is flagged and contained.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound destinations and protocols are blocked.
Critical service disruption and unauthorized container actions are prevented.
Impact at a Glance
Affected Business Functions
- IT Operations
- Security Monitoring
Estimated downtime: 3 days
Estimated loss: $50,000
Potential unauthorized access to sensitive data and control over containerized applications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to eliminate exposed container APIs and restrict access to management interfaces.
- • Enforce egress filtering and DNS/FQDN-based policy to block unauthorized outbound traffic and concealment infrastructures like Tor.
- • Deploy east-west traffic monitoring and microsegmentation to rapidly detect and halt lateral movement attempts by malicious containers.
- • Integrate continuous anomaly detection and real-time alerting to identify suspicious activity, including unusual process launches and encrypted outbound connections.
- • Apply automated identity-based policy to secure workloads and regularly audit for misconfigurations in API and container orchestration services.
