Cetus

Cetus is a cryptojacking worm named after a Greek mythology monster that disguises itself as a harmless whale. It masquerades as legitimate binaries commonly used in Docker environments, specifically Portainer, a UI tool for managing multiple Docker instances. The miner deployed by Cetus, XMRig, is disguised as "docker-cache," a plausible yet non-existent binary. Cetus also employs Masscan to randomly scan subnets for Docker daemons, infecting them by sending requests to the daemon’s API via the Docker CLI tool.