Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

Datadog Security Research discovered an active cryptojacking campaign that exploits exposed Docker Engine APIs to deploy containers which mount host filesystems, execute init scripts, and install XMRig miners; the malware propagates laterally to Docker Swarm, Kubernetes (via the kubelet API), and SSH hosts, uses process-hiding via ld.so.preload, manipulates Docker Swarm to join actor-controlled clusters, and exfiltrates credentials from paths indicative of GitHub Codespaces. The report includes payload/script hashes, C2 domains and URLs (solscan.live and subdomains), one attributed IP (164.68.106.96), and analysis of TTPs with low-confidence discussion of links to TeamTNT.