Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Stealthy Kubernetes Cryptojacking Unveiled

June 7, 2024
Reading Time: 3 mins read
in Alerts
Stealthy Kubernetes Cryptojacking Unveiled

Cybersecurity researchers at Wiz have identified a sophisticated cryptojacking campaign that exploits vulnerabilities in Kubernetes clusters to mine Dero cryptocurrency. This campaign represents an evolution of earlier attacks documented by CrowdStrike in March 2023. Unlike previous methods that utilized a Kubernetes DaemonSet named “proxy-api,” the current campaign employs seemingly innocuous DaemonSets such as “k8s-device-plugin” and “pytorch-container” to distribute a UPX-packed DERO miner across cluster nodes. This strategy allows the threat actors to covertly execute mining operations while evading detection, leveraging anonymous access to Kubernetes API servers as an initial point of compromise.

The malicious activity centers around Docker images hosted on Docker Hub, some of which have been downloaded more than 10,000 times. These images contain the ‘pause’ container, which masquerades as a legitimate component used for network isolation within Kubernetes pods. Once deployed, the DERO miner embedded in these containers begins exploiting computational resources across the Kubernetes cluster, aiming to maximize cryptocurrency mining output.

Furthermore, the threat actors have taken steps to obfuscate their activities and evade security measures. The DERO miner itself is an open-source binary modified to hard-code wallet addresses and mining pool URLs, making it easier to operate without typical command-line arguments that might trigger security alerts. Additionally, the use of UPX packing technology adds another layer of complexity, making analysis and detection more challenging for defenders.

In response to this threat, Wiz has observed additional tools developed by the attackers, including a Windows version of the DERO miner and a dropper script designed to terminate competing mining processes on infected hosts. The attackers have also registered domains with innocuous names to blend in with legitimate web traffic and obscure communication with well-known mining pools. This adaptive approach underscores the attackers’ efforts to stay ahead of cybersecurity defenses, continually refining their tactics to exploit vulnerabilities in cloud environments effectively.

Reference:

  • Malicious Docker Images Used in Kubernetes for Dero Cryptojacking
Tags: CryptojackingCyber AlertsCyber Alerts 2024Cyber RiskCyber threatDockerJune 2024Kubernetes
ADVERTISEMENT

Related Posts

Hackers Revive SEO Poisoning

Hackers Revive SEO Poisoning

July 10, 2025
Hackers Revive SEO Poisoning

RondoDox Botnet Exploits Router Flaws

July 10, 2025
Hackers Revive SEO Poisoning

ServiceNow Data Exposure via ACLs

July 10, 2025
Hackers Use Leaked Shellter License Malware

Windows BitLocker Vulnerability Flaw

July 9, 2025
Hackers Use Leaked Shellter License Malware

Hackers Use Leaked Shellter License Malware

July 9, 2025
Hackers Use Leaked Shellter License Malware

Anatsa Android Trojan Targets 90K Users

July 9, 2025

Latest Alerts

RondoDox Botnet Exploits Router Flaws

ServiceNow Data Exposure via ACLs

Hackers Revive SEO Poisoning

Windows BitLocker Vulnerability Flaw

Anatsa Android Trojan Targets 90K Users

Hackers Use Leaked Shellter License Malware

Subscribe to our newsletter

    Latest Incidents

    Bitcoin Depot Breach Exposes Data

    McDonald’s AI Hiring Bot Exposes Data

    Nippon Steel Solutions Data Breach

    Norwegian Municipalities Hit by Data Breach

    Credit Reports Breached And Sold On Dark Web

    Recruiting Software Exposed 26M Resumes

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial