Kubernetes Cryptojacking

In this video I take a look at a cryptojacking attack against a Kubernetes honeypot. The attackers were surprisingly quick to discover this unsecured Kubernetes deployment and use it to mine Monero for them.

The analyzed capture files can be downloaded from

This PCAP dataset was created by Noah Spahn, Nils Hanke, Thorsten Holz, Chris Kruegel, and Giovanni Vigna as part of their research for their Container Orchestration Honeypot: Observing Attacks in the Wild paper.

The capture files named "proxy-", such as the analyzed proxy-220404-162837.pcap, were generated by PolarProxy and contain the decrypted Kubernetes API traffic to the master node. This traffic was actually TLS encrypted, but since PolarProxy was used as a TLS interception proxy we can see the Kubernetes API traffic in decrypted form.

IOC List

  • attacker IP: (PIA VPN)
  • kind: DeamonSet
  • name: api-proxy
  • namespace: kube-system
  • image: dorjik/xmrig
  • mining pool: gulf.moneroocean.stream:1012
  • annotation: kubectl.kubernetes.io/last-applied-configuration
  • Monero wallet address: 41pdpXWNMe6NvuDASWXn6ZMdPk4N6amucCHHstNcw2y8caJNdgN4kNeW3QFfc3amCiJ9x6dh8pLboR6minjYZpgk1szkeGg

Posted by Erik Hjelmvik on Tuesday, 07 May 2024 07:50:00 (UTC/GMT)

Tags: #video#CapLoader#PolarProxy

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=245f018

X / twitter

NETRESEC on X / Twitter: @netresec


NETRESEC on Mastodon: @netresec@infosec.exchange