Privacy Coin Dero Becomes Target of New Self-Propagating Malware

On May 29, it was reported that a new type of Linux malware is attacking unprotected Docker infrastructures worldwide, turning exposed servers into a decentralized network for mining the privacy coin Dero. This malware attacks exposed Docker APIs through port 2375, deploying two Golang-based implants, one disguised as legitimate web server software nginx, and another program named cloud for mining. Infected nodes autonomously scan the internet for new targets and deploy infected containers without the need for a central control server. As of early May, over 520 Docker APIs were publicly exposed through port 2375 globally, all of which are potential targets. Research shows that the wallet and node infrastructure used in this attack are the same as those used in attacks on Kubernetes clusters in 2023 and 2024.