Introduction
A novel malware campaign is increasingly targeting Docker environments to mine cryptocurrencies illicitly. This campaign diverges from traditional cryptojacking methods by exploiting the Teneo network, where users are rewarded for sending frequent “heartbeats” or “keep alive” pings. This trend highlights the growing misuse of legitimate platforms for malicious activities.
Description
A new malware campaign is increasingly targeting Docker environments to illicitly mine cryptocurrencies, employing methods distinct from traditional mining software like XMRig [5]. This campaign marks a departure from conventional cryptojacking techniques [2], utilizing the Teneo network, where users receive rewards for sending frequent “heartbeats” or “keep alive” pings via WebSocket to the Teneo service. This approach allows attackers to accumulate points without engaging in actual data scraping, reflecting a broader trend of exploiting legitimate platforms for malicious purposes.
Exemplified by the kazutod/tene:ten Docker image [1], which was uploaded two months ago and has been downloaded 325 times [3], this malware strain contains a heavily obfuscated Python script that requires 63 iterations to unpack, employing advanced methods to conceal its malicious intent [1]. The specifics of the Teneo token [1], including its value and the mechanics of its rewards system [1], remain obscure [1], yet the platform incentivizes users based on the frequency of pings sent.
The attacker has previously employed similar techniques for cryptocurrency mining [4], with their latest Docker Hub profile containing a container that runs the Nexus Network client [4], a project focused on distributed zero-knowledge compute tasks for cryptocurrency rewards [4]. This campaign resembles other malicious activities that infect misconfigured Docker instances [3], such as those utilizing 9Hits Viewer Software to generate traffic to specific sites in exchange for credits. It also shares similarities with bandwidth-sharing schemes [3], like proxyjacking [3] [5], where specific software is downloaded to share unused internet resources for financial incentives [3].
As cryptojacking techniques evolve [1], they pose serious challenges for security in cloud infrastructures utilizing containers. Attackers demonstrate a deep understanding of Docker and Kubernetes architectures, necessitating organizations to adopt specific security measures. System administrators are advised to secure Docker environments by limiting exposure to the internet [1], implementing robust authentication and firewall measures [1], auditing running containers, and monitoring for anomalous resource consumption. The exact earnings generated by this technique remain undetermined due to the closed nature of the private tokens [4], highlighting the need for constant updates to anomaly detection systems to combat these emerging threats.
Conclusion
The emergence of this malware campaign underscores the evolving nature of cryptojacking threats, particularly in cloud environments. Organizations must enhance their security protocols to protect against such sophisticated attacks. This includes implementing stringent access controls, regular audits, and continuous monitoring of container activities. As attackers continue to exploit legitimate platforms, staying informed and proactive in security measures will be crucial in mitigating future risks.
References
[1] https://www.darktrace.com/blog/obfuscation-overdrive-next-gen-cryptojacking-with-layers
[2] https://www.cypro.se/2025/04/22/docker-malware-exploits-teneo-web3-node-to-earn-crypto-via-fake-heartbeat-signals/
[3] https://www.techidee.nl/docker-malware-maakt-gebruik-van-teneo-web3-knooppunt-om-crypto-te-verdienen-via-nep-hartslagsignalen/22336/
[4] https://www.infosecurity-magazine.com/news/cryptojacking-malware-docker-novel/
[5] https://www.hendryadrian.com/docker-malware-exploits-teneo-web3-node-to-earn-crypto-via-fake-heartbeat-signals/
