Docker Malware EXPLEITS TENEO Web3 Node to earn crypto via fake HeartBeat signals

22. April 2025Ravie LakshmanaanIOT Security / Malware

Cyber-Curi researchers described in detail the campaign of malware that target Docker environment with a previously undocumented technique for mine cryptocurstiness.

Activity cluster, by Darkoce and Cado Securityrepresents a transition from other cordial campaigns that are distributing directly Miners like XMRIG to benefit illegally with calculating resources.

This involves the distribution of malware that connects to a subjection web service called Teneo, a decentralized physical infrastructure network (depin) that allows users to cash data on public social media launching Community node In exchange for rewards named Teneo Pointswhich can be converted to $ Teneo tokens.

The node basically works as a scheduled Social Media Scraper for drawing messages on Facebook, KS, Reddit and tantok.

Analysis of artifacts gathered from His mow discovered that the attack begins with a request to start a container image “Casell / TENE: Ten“From the Docker Hub register. The image was set two months ago and was downloaded 325 times to this day.

A container is designed to lead a built-in Pethon script that is very confused and requires 63 iterations for unpacking the actual code, which sets a connection to Tene (.) Pro.

The “malware script simply connects to the web sticker and sends live pincs in order to obtain more points from Tene and does not work any actual scraping,” Darktrace said in a report in the report reported with the Boams Report. “Based on the website, most awards were rewarded behind the number of heart beats, which is probably why this works.”

The campaign reminds the other A cluster of malicious threat activity It is known to infect the wronglyfigured docsker cases with the software for viewer 9HIT to create traffic to certain locations in exchange for the loan.

The intrusion set is also similar to the other shipping schemes such as prookiacting which include downloading specific software to share unused internet resources for some kind of financial incentive.

“Typically, traditional kryptojacking attackers rely on the direct mines of cryptocurnancy, however, as XMRIG is highly detected, attackers are transferred to alternative methods of generating crypto,” Darctrace said. “Is it more cost effective remains to be seen.”

Discovering comes while the Fortinet Fortiguard Laboratory revealed a new botnet to spread through insecure flaws in Totolink (CVE-2022-26187) and DRAITEK (CVE-2024-12987) devices with the aim of attacking DDOS attacks. The efforts of exploitation are found primarily the target technological sector in Japan, Taiwan, Vietnam and Mexico.

“IOT and network devices are often poorly defended by the endpoints, making them attractive goals to harness and give malware”, security researcher Vincent Lee said. “Strengthening the monitoring and authentication of the endpoint can significantly reduce the risk of exploitation and assistance in mitigating malware campaigns.”