AI Innovation Intel — AI Innovation Intel Analysis

# **Emerging Threat Landscape: AI-Driven Cryptojacking and Exploited Containerized Environments** ## **Executive Summary** A novel cryptojacking campaign leveraging the **Dero cryptocurrency** has been detected targeting **insecure Docker APIs**, particularly those exposed on **port 2375** in Linux-based containerized environments. The attackers employ **custom Golang malware** to propagate within networks, exploiting misconfigurations in Docker deployments. Concurrently, threat actors are utilizing **Unicode-based obfuscation techniques**, potentially for command-and-control (C2) or evasion purposes, while referencing industrial standards like **ISO 7327:1994**—a possible attempt to blend malicious activity with legitimate documentation. This report provides a **technical breakdown** of the **Dero cryptojacking campaign**, examines the **Unicode obfuscation trends**, and assesses the implications of **containerized environment exploitation**. Additionally, we outline **defensive measures** to mitigate these threats. --- ## **1. Dero Cryptojacking Campaign: Exploiting Docker APIs** ### **1.1 Attack Vector and Initial Access** The campaign targets **unsecured Docker API endpoints** (default port **2375**), which are often left exposed due to misconfigurations or improper hardening. The **Docker API** is a RESTful interface for interacting with Docker daemons, and when exposed without authentication, it allows attackers to: - **Enumerate running containers** - **Execute malicious commands** - **Deploy cryptominers** The attackers leverage **Golang-based malware** to: - **Scan for exposed Docker APIs** (`2375/tcp`) -