An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash script, sets environment variables, and downloads a malicious binary disguised as a PHP extension. Attackers use evasion techniques like checking for similar processes and creating custom functions to download files. The malware employs persistence strategies using systemd or cron jobs. The attack leverages privileged container modes and shared PID namespaces to gain access to the host system. Recommendations include securing Docker Remote API servers, implementing strong access controls, and regularly monitoring for suspicious activities.