Cryptojacking Campaign Targeting K8s Clusters

Type

Campaign

Actors

❓Unknown

Pub. date

June 25, 2026

Initial access

1-day vulnerability

Impact

Resource hijackingData exfiltration

Observed techniques

Vulnerability exploitation Cloud compute cryptojacking

Targeted technologies

Gogs Kubernetes Argo Workflows

References

https://github.com/argoproj/argo-workflows/security/advisorieshttps://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/

Status

Finalized

Last edited

Jun 28, 2026 2:58 PM

Researchers identified a campaign leveraging the Realm C2 framework that has compromised thousands of Linux hosts between June 13-23, 2026, with a primary focus on a large managed Kubernetes clusters. The attackers exploited vulnerabilities in Argo Workflows and Gogs to gain initial access, then deployed cryptominers and used stolen Kubernetes service account tokens to spread laterally across over 300 additional nodes via privileged container escape. Organizations running Argo Workflows or Gogs should patch immediately and check for indicators of compromise.