← BACK TO REGISTRY

Spyderbat

CONTAINER RUNTIME — CLOUD WORM DETECTION
VERIFIED: 2025-01-12
PROOFS: 28
CAMPAIGN: SILENTBOB
☠️
THREAT ACTOR: TEAMTNT
Cloud-focused threat group specializing in cryptojacking, credential theft, and self-propagating worms targeting Docker and Kubernetes environments.
🐛
SILENTBOB — CLOUD WORM CAMPAIGN
Self-propagating cloud worm targeting misconfigured Docker APIs and JupyterLab servers. Discovered by Aqua Nautilus in July 2023. Deploys Tsunami IRC backdoor and XMRig cryptominer across ~16.7M scanned IPs.
🏆
WORLD HACKER GAMES™ ROUND 2 — CERTIFIED
Guardian policy automatically killed compromised pod, demonstrating continuous runtime protection against Silent Bob worm propagation in live competition environment.
CRYPTOGRAPHIC PROOF
VERIFIED ON-CHAIN
PR-2025-00823
SHA-256: 5b8c3f2a1d9e4b7c6a0f3e2d1c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b
VERIFIED THREAT COVERAGE
SILENTBOB TEAMTNT T1190 T1610 T1059.004 T1053 T1046 T1552.001 T1090 T1021 T1071.001 T1573 T1496
THREAT INTELLIGENCE
C2 DOMAIN
silentbob.anondns.net
C2 PROTOCOL
DNS over HTTP (anondns)
MALWARE
Tsunami IRC, XMRig
SCAN RANGE
~16.7M IPs (Masscan + ZGrab)
TTP BREAKDOWN — MITRE ATT&CK
T1190
Exploit Public-Facing Application
Exploitation of misconfigured Docker APIs and JupyterLab servers exposed to the internet.
INITIAL ACCESS
T1610
Deploy Container
Malicious container deployment via compromised Docker daemon for payload execution.
EXECUTION
T1059.004
Unix Shell
Execution of run.sh and docker_entrypoint.sh scripts for worm propagation.
EXECUTION
T1053
Scheduled Task/Job
Container restart policy (--restart=always) for persistence across reboots.
PERSISTENCE
T1046
Network Service Discovery
Masscan and ZGrab scanning of ~16.7M IPs for vulnerable Docker/JupyterLab instances.
DISCOVERY
T1552.001
Credentials in Files
aws.sh script for AWS credential theft from instance metadata and config files.
CREDENTIAL ACCESS
T1090
Proxy
Proxychains3 and TOR service for anonymized network communication.
COMMAND AND CONTROL
T1496
Resource Hijacking
XMRig cryptominer deployment for Monero mining on compromised infrastructure.
IMPACT