Researchers have discovered a Monero cryptomining botnet they call Xanthe, which has been exploiting incorrectly configured Docker API installations in order to infect Linux systems. Researchers said that the malware utilizes various methods to spread across the network including harvesting client-side certificates for spreading to known hosts via Secure Shell (SSH) Researchers said the actor is actively maintaining all the modules and has been active since March this year. As of this writing, there are 6,000 incorrectly-configured Docker implementations exposed to the internet internet.
Source: https://threatpost.com/misconfigured-docker-servers-xanthe-malware/161732/