Commando Cat

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Commando Cat is a threat actor, or malicious entity, that has been identified as the force behind an attack campaign exploiting exposed Docker remote API servers. This campaign is notable due to its unique initial step, which involves deploying harmless containers using the open-source GitHub project known as Commando. The name "Commando Cat" was coined because of this initial step, and the campaign has been analyzed in depth by cybersecurity experts at Cado Security. The Commando Cat campaign specifically targets Docker's API endpoints, according to findings released by Cado researchers. The attack sequence involves leveraging Docker as an initial access point, then abusing the service to mount the host's filesystem. Following this, a series of interdependent payloads are run directly on the host. The campaign is primarily a cryptojacking operation, which illicitly uses the victim's computing resources to mine cryptocurrency. The identity and origin of the threat actor behind Commando Cat remain unclear. There have been overlaps noted in the scripts used and IP addresses between Commando Cat and other threat groups such as Team TNT. This could suggest a potential connection or simply indicate that Commando Cat is imitating these other groups. Regardless, the existence and activities of Commando Cat underscore the ongoing risks associated with exposed Docker remote API servers and the broader challenges of maintaining secure digital environments.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Commando
2
Commando is a threat actor identified as being behind the "Commando Cat" attack campaign, which poses significant cybersecurity risks through the abuse of exposed Docker remote API servers. The Commando Cat attack sequence involves deploying benign containers generated using the publicly-available C
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Docker
Backdoor
Exploit
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Commando Cat Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 months ago
'Commando Cat' Digs Its Claws into Exposed Docker Containers
Trend Micro
2 months ago
Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers
DARKReading
6 months ago
'Commando Cat' Is Second Campaign of the Year Targeting Docker