A threat actor targeting exposed Docker APIs has updated its malicious tooling with more dangerous functionality that could lay the foundation for a complex botnet.

The activity was first reported in June by cybersecurity company Trend Micro. whose researchers analyzed scripts and malicious code that dropped a cryptominer and relied on the Tor network to hide their identity.

Akamai researchers discovered new tooling that does not deploy a miner but a more complex payload that can block access to compromised Docker APIs.