Docker Malware Campaign Abuses Decentralized Networks Through Deep Payload Obfuscation
A recently identified malware campaign targets Docker environments by disguising malicious containers as benign images hosted on Docker Hub. The infection starts when a user runs a container from the “kazutod/tene:ten” image, which executes a script named ten[.]py. Security analysts at DarkTrace found the script was heavily obfuscated using a multi-stage process that involves base64 decoding, zlib decompression, and execution of Python code through lambda functions. This sequence repeats over 60 times, a tactic designed to prevent automated detection and make manual analysis more difficult. Each layer of the script peels away a new portion of the final payload, demonstrating the attacker’s intent to stay hidden from security tools and human analysts. Once fully de-obfuscated, the payload initiates a websocket connection to teneo[.]pro, a Web3 startup that rewards users for running data-scraping nodes, revealing the campaign’s ultimate purpose—unauthorized reward farming through service abuse. Instead of participating in Teneo’s data collection network as intended, the malware connects to the platform and sends idle heartbeat pings, tricking the system into issuing rewards for fake node activity. This approach differs from traditional cryptojacking, where tools like XMRig mine public cryptocurrencies by exploiting private platforms for reward tokens with no public valuation. The attackers appear to be testing this new monetization model across other containers, using their Docker Hub profile to distribute clients for additional decentralized services, including one targeting Nexus. Given the closed nature of these token systems, it’s unclear how profitable this scheme is, but the campaign reflects a significant evolution in threat actor tactics. Rather than directly stealing or mining currency, they are now manipulating incentive systems built into legitimate platforms to gain financial advantage. For administrators and defenders, this incident reinforces the ongoing risks of exposing Docker services to the internet without proper restrictions, as even short exposure windows can result in compromise.
APT34 Preps Infrastructure for Future Operations with Deceptive Academic and Tech Lures
Hunt Researchers have identified early infrastructure setups tied to APT34, also known as OilRig, a suspected Iranian cyber-espionage group that typically targets sectors including government, energy, telecom, education, and non-governmental organizations. Between late 2024 and April 2025, analysts tracked a cluster of domains and servers impersonating an academic institution in Iraq and fake UK technology companies. While no active malware payloads have been found, the infrastructure’s design displays hallmarks of APT34’s methods, including staged decoy content, shared SSH keys and coordinated IP management. Notably, the domain biam-iraq[.]org migrated from Host Sailor to M247 Europe SRL infrastructure and remained active for months, highlighting deliberate and patient pre-operational behavior. These servers consistently returned static “404 Not Found” messages on port 8080, a known decoy tactic linked to this group’s past operations. Subdomains resembling mail and webmail suggest intent to conduct phishing or credential theft once the infrastructure goes live. Beyond the academic facade, researchers uncovered [.]eu domains posing as UK tech firms with fabricated identities and branding, which includes “Sphere Spark” and “ZenStack Technologies.” These domains used common nameservers and were registered through a U.S.-based registrar, all hosted on the same IP space, showing deliberate clustering. A unique detail was quickly reusing a specific SSH fingerprint across multiple servers, pointing to a centralized provisioning process. Coupled with TLS certificates issued by Let’s Encrypt and passive DNS overlaps, these artifacts provide strong indicators for detection and asset correlation. Though dormant, the infrastructure demonstrates how APT34 invests in long-term setups to avoid early disruption. Security teams are advised to track these early-stage signs using threat-hunting tools and custom queries, as catching infrastructure before deployment can provide rare opportunities to preempt targeted attacks.
Update: Malicious npm Packages Exploit Telegram API to Backdoor Linux Developer Systems
Security researchers at Varonis have detailed a high-risk session hijacking method known as the “Cookie-Bite Attack,” which enables threat actors to bypass Multi-Factor Authentication (MFA) and maintain prolonged access to enterprise cloud services. The technique abuses Azure Entra ID’s session cookies—specifically ESTSAUTH and ESTSAUTHPERSISTENT—to impersonate authenticated users without triggering additional credential prompts or security alerts. These cookies are harvested using infostealer malware and malicious browser extensions that extract authentication tokens directly from the victim’s browser memory or local storage. Attackers often automate this process using PowerShell scripts to load browser extensions silently and ensure persistence. Once acquired, the stolen tokens are injected into the attacker’s browser session using tools like Cookie-Editor, granting seamless access to platforms like Microsoft 365, Teams, Azure Portal, and SharePoint. Beyond initial access, the attack enables deeper compromise by abusing Microsoft Graph API to enumerate users, manipulate data, and exfiltrate content from enterprise accounts. Tools, including AADInternals and TokenSmith, allow further escalation by extracting refresh tokens and forging OAuth tokens for longer-term control. Even organizations with Conditional Access Policies (CAPs) are not immune, as attackers mimic user environments by spoofing IP addresses, browser signatures, and device fingerprints. The “Keep Me Signed In” feature enhances this risk by generating persistent session cookies that remain valid for up to 90 days, allowing attackers to maintain access without raising alarms. This campaign reveals a major blind spot in traditional defenses and underscores the need for behavior-based monitoring, token binding, and strict control of browser extension policies in corporate environments. As browser-based session hijacking becomes more refined, enterprises must shift toward proactive threat detection strategies beyond simple login verification.
