A new Dero mining campaign is infecting containerized Linux environments through exposed Docker APIs. The attack uses two Golang malware components: 'nginx' for propagation and 'cloud' for mining. The 'nginx' malware scans for vulnerable Docker hosts, creates malicious containers, and compromises existing ones. It maintains persistence and spreads without a command-and-control server. The 'cloud' component is a modified DeroHE CLI miner with hardcoded wallet and node addresses. This campaign demonstrates the potential risks of insecurely published Docker APIs and the need for robust container security measures.