Executive summary The Akamai Hunt Team has uncovered a new strain of malware that targets exposed Docker APIs with expanded infection capabilities. It was last seen in August 2025 in Akamai’s infrastructure of honeypots. The malware was originally reported in June 2025 by Trend Micro’s Threat Intelligence Team. The iteration they discovered dropped a cryptominer behind a Tor domain. The Akamai Hunt Team observed a variant that has a different initial access vector — it blocks others from accessing the Docker API from the internet. The binary is also different; the variant discovered by Akamai Hunt doesn't drop a cryptominer but instead drops a file containing other previously used tools along with infection capabilities beyond those of the original strain.  This blog post includes the full technical details about the initial finding, what differs between the two variants, and indicators of compromise (IOCs) to aid in defense against this threat.  Introduction The more interconnected our digital…