Security Experts:

Connect with us

Hi, what are you looking for?



Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters

Dero cryptojacking operation infecting Kubernetes infrastructure is being targeted by Monero criptojackers for control over the same clusters.

Cybersecurity firm CrowdStrike warns of a Dero cryptojacking operation infecting Kubernetes clusters that are also being targeted by a Monero cryptojacking campaign.

Dero is a cryptocurrency that uses directed acyclic graph (DAG) technology, claiming to provide users with complete transactional anonymity, increased privacy, and a higher reward ratio compared to Monero.

Since the beginning of February 2023, what appears to be the first-ever Dero cryptojacking operation has been observed targeting Kubernetes clusters on non-standard ports that are exposed to the internet.

To compromise the identified clusters, the attackers are using a Kubernetes API with authentication set to ‘anonymous’, which allows them to completely bypass authentication on accidentally exposed clusters.

Following initial interaction with the Kubernetes cluster, the attackers deploy a DaemonSet that drops a malicious pod on each node of the cluster.

“This helps attackers engage resources of all of the nodes at the same time to run a cryptojacking operation. The mining efforts by the pods are contributed back to a community pool, which distributes the reward equally among its contributors through their digital wallet,” CrowdStike explains.

As part of the campaign, the threat actors hosted on Docker Hub a Docker image that has over 4,000 pulls, which may be indicative of the number of miner instances deployed.

CrowdStrike says it has not observed the attackers pivoting from the compromised Kubernetes clusters to move laterally or attempting to delete or disrupt cluster operation, which suggests that their sole purpose was mining for Dero.

However, shortly after identifying the campaign, CrowdStrike also observed a modified Monero operation that targets exposed Kubernetes clusters and which deliberately attempts to delete Dero’s DaemonSet from the compromised targets.

“This signifies the Monero campaign is aware of the ongoing Dero cryptojacking campaign, and the Monero attacker wants to knock off the existing Dero cryptojacking DaemonSet before the campaign takes over the cluster and uses all of its resources,” the cybersecurity firm notes.

The same Monero operation attempts to delete other DaemonSets as well, suggesting that its operators might be aware of other cryptojacking campaigns as well.

As part of the Monero campaign, a privileged pod is being deployed and a ‘host’ directory is loaded, in an attempt to escape the container. Additionally, a cronjob is created to trigger the payload, instead of directly executing scripts.

Related: Spyware, Ransomware, Cryptojacking Malware Increasingly Detected on ICS Devices

Related: Abcbot DDoS Botnet Linked to Older Cryptojacking Campaign

Related: Iranians Charged for Cryptojacking After U.S. Firm Gets $760,000 Cloud Bill

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.