Crypto Miner in hotio/qbittorrent Docker Container Date: 2025-09-23 Author: Alessandro Pogliaghi Read Time: ~2 minutes Tags: #malware #docker #cryptominer #security --- Summary While migrating to a new server, the author discovered an unexpected high CPU usage process inside the hotio/qbittorrent Docker container, used to download Linux ISOs such as the Omarchy ISO. Key Findings The suspicious process was called netservlet. Attempts to read the executable from /proc failed, indicating the binary was unlinked (deleted) from the filesystem to hide itself. A core dump was generated (gcore) to analyze the binary without direct executable access. Using strings on the core dump revealed multiple references to cryptocurrency mining operations, such as: Mining protocols and pools (stratum, pool, mining.submit, mining.authorize). Cryptocurrency-specific mining terms and functions (cryptonight, ethashcalculatedagitem). Pool addresses like auto.c3pool.org:19999. Configuration options typical for mining software (--cpu-memory-pool, --opencl, --cuda, --rig-id). All these confirm that netservlet is a stealth cryptominer, probably based on XMRig or a variant, running covertly inside the container. Additional Notes Running binwalk on the core dump revealed a large (~1.3GB) obfuscated gzip archive embedded within the binary. Further static analysis with tools like Ghidra is planned to understand the payload deeper. --- Conclusion & Recommendations Never blindly trust random Docker images; containers can harbor unauthorized or malicious software. Monitor system resource consumption actively to catch unusual behavior early. Regularly audit both your host systems and container environments to avoid unpleasant surprises like hidden crypto miners. --- References and Further Discussion Hacker News discussion: https://news.ycombinator.com/item?id=45345233 Lobste.rs discussion: https://lobste.rs/s/6wzpji/cryptominerhotioqbittorrent --- Infected Container Image Details Registry: ghcr.io/hotio/qbittorrent Tag: release Digest: sha256:3779f89712dbaa8b25fc22897d0b471ee29049b2b0f8d3c192df83b098c84fc5 --- Made with ❤️ in 🇪🇺 by Alessandro Pogliaghi GitHub: tatoalo | X: @tatoalo | LinkedIn: alessandro-pogliaghi License: BSD 3-Clause