Cybersecurity researchers have uncovered a novel malware campaign that targets Docker environments with an unconventional method of generating cryptocurrency rewards — not by directly mining digital coins, but by exploiting a decentralized Web3 service called Teneo. This shift marks a significant departure from traditional cryptojacking techniques and reflects evolving tactics among financially motivated threat actors.
The campaign, analyzed by Darktrace and Cado Security, focuses on deploying a containerized malware that connects infected systems to the Teneo platform, a decentralized physical infrastructure network (DePIN). Teneo incentivizes users to share public social media data via “Community Nodes,” which scrape platforms such as Facebook, X (formerly Twitter), Reddit, and TikTok. Participants are rewarded in Teneo Points, which can be exchanged for $TENEO Tokens.
The Malware Delivery Chain
The attack begins with a Docker command to launch a container image named “kazutod/tene:ten”, which is hosted on Docker Hub. Though relatively new — uploaded just two months ago — the image has already been downloaded 325 times, suggesting active exploitation.
Upon execution, the container runs a heavily obfuscated Python script. The script must go through 63 decoding loops to finally reveal its payload: a program that connects to teneo[.]pro via WebSocket.
Despite Teneo’s premise of data scraping, Darktrace found that this malware does not perform any real scraping. Instead, it continuously sends keep-alive pings, or “heartbeats,” to the platform. This allows the attacker to farm Teneo Points passively, as the platform primarily rewards node uptime and activity signals, not the actual data provided.
“The malware script simply connects to the WebSocket and sends keep-alive pings, likely to farm Teneo Points more efficiently,” Darktrace explained. “Most of the rewards appear to be tied to these heartbeats, not actual data collection.”
A New Spin on Resource Exploitation
This campaign is being compared to older Docker-based threats such as the 9Hits Viewer campaign, where attackers deployed software in misconfigured containers to artificially generate web traffic and earn traffic credits. Similarly, this new intrusion set mirrors proxyjacking schemes, in which malicious actors monetize bandwidth by installing software that shares a victim’s internet connection with third-party services.
The significant difference here lies in the Web3 monetization layer. While typical cryptojacking attacks use software like XMRig to mine cryptocurrencies directly, these methods have become increasingly detectable by endpoint and network defenses. By contrast, Teneo-based exploitation is subtler and harder to detect, because it mimics legitimate interactions with a publicly accessible decentralized service.
“Attackers appear to be pivoting away from XMRig-based cryptojacking due to its high detection rate,” Darktrace said. “Whether this new method is ultimately more profitable remains to be seen.”
Rising Threats Beyond Docker
This disclosure comes as other malware campaigns continue to spread through exploitable internet-facing infrastructure. Fortinet FortiGuard Labs recently reported a new botnet called RustoBot, which spreads by exploiting known vulnerabilities in TOTOLINK routers (CVE-2022-26210 and CVE-2022-26187) and DrayTek devices (CVE-2024-12987).
RustoBot appears to be geared toward launching Distributed Denial-of-Service (DDoS) attacks, with observed campaigns primarily targeting the technology sector in countries such as Japan, Taiwan, Vietnam, and Mexico.
“IoT and network devices are frequently left under-defended, making them attractive targets,” said security researcher Vincent Li. “Improving endpoint monitoring and enforcing robust authentication protocols can significantly reduce the attack surface.”
Implications for Cloud and Web3 Security
The emergence of Teneo-focused malware raises red flags about the security implications of decentralized platforms, particularly those with open-access APIs and reward-based systems. These platforms could inadvertently incentivize malicious behavior or become tools for financial abuse when user activity is rewarded without validation of its legitimacy.
As cloud-native threats evolve, so must the defense strategies. Organizations using Docker and other container platforms are urged to audit public image pulls, restrict access to container orchestration tools, and monitor outbound connections to uncommon services like Teneo.
