Crypto Miner in hotio/qbittorrent
🗣️ Join the Discussion 🗣️
Infected Container Image
- Registry:
ghcr.io/hotio/qbittorrent - Tag:
release - Digest:
sha256:3779f89712dbaa8b25fc22897d0b471ee29049b2b0f8d3c192df83b098c84fc5
Recently, while migrating to a new server, I discovered a suspicious process running inside a hotio/qbittorrent Docker container.
I mainly use this to download Linux ISOs, as anybody else, right?
I just want to get that sweet sweet Omarchy ISO.
The Problem
While monitoring system resources, I noticed a process consuming unusually high CPU:
$ ps -ef | grep netservlet
1000 758679 756435 99 09:39 ? 00:13:43 ./netservlet
The binary netservlet was unfamiliar, and attempts to inspect it via /proc failed:
$ docker exec qbittorrent cat /proc/758679/exe > /tmp/netservlet
# Output: No such file or directory
This indicates the binary was likely unlinked from the filesystem, pretty much as expected.
Investigation
Since direct access to the executable was blocked, I generated a core dump:
$ gcore -o /tmp/netservlet_core 758679
I could now simply use strings to further have a look:
$ strings /tmp/netservlet.elf | egrep -i 'stratum|pool|wallet|http|crypto|mining|eth|btc|pool'
Highlights included:
- References to cryptocurrency mining:
cryptonight,ethash_calculate_dag_item,mining.submit,mining.authorize. - Mining pool addresses:
auto.c3pool.org:19999. - Miner configuration options:
--cpu-memory-pool,--opencl,--cuda,--rig-id,http-access-token.
This confirmed that netservlet was a stealth crypto miner, likely XMRig or a variant.
I thought we were over crypto bros and all over to AI-bros, I was mistaken 😂.
Just for fun, I also ran binwalk against the dump, which ended up with a 1.3GB gzip archive.
We couldn’t just unzip it, though, due to obfuscation.
I will analyze it via ghidra later, today I should be OOO lol.
Conclusion
Remember:
- Never trust random Docker images—your containers aren’t magic elves.
- Keep an eye on system resources—they have feelings too.
- Audit your host and containers often—because surprises are only fun at parties.