A recent malware campaign targeting Docker showcases a novel form of cryptojacking that abuses legitimate Web3 services for profit while employing heavy layers of obfuscation to evade detection. By leveraging publicly hosted Docker images, the attackers deploy Python scripts that recursively decode and execute themselves dozens of times before revealing their final payload, which connects to the decentralized Teneo platform to collect crypto rewards. This approach reflects a shift away from traditional cryptomining tools like XMRig, toward stealthier abuse of reward systems tied to legitimate crypto-based services.
The campaign initiates with a Docker Hub image (kazutod/tene:ten
) that runs a highly obfuscated Python script (ten.py
). The script decodes a base64-encoded, reversed, and zlib-compressed payload, which in turn contains more encoded payloads—requiring over 60 iterations of decoding to reach the final executable code. This obfuscation chain is likely designed to frustrate analysts and avoid signature-based detection. The final payload connects to teneo[.]pro
, a Web3 company offering rewards for data-sharing participation. Instead of contributing data, the malware abuses the platform by sending heartbeat pings to earn Teneo Points, which function as private crypto tokens. Other containers linked to the attacker reveal similar abuse of distributed computing services to earn cryptocurrency covertly.