A new Dero mining campaign exploits insecurely published Docker APIs to spread through containerized Linux environments. The attack uses two Golang malware implants: 'nginx' for propagation and 'cloud' for cryptocurrency mining. The 'nginx' malware scans for vulnerable Docker APIs, creates malicious containers, and compromises existing ones. It maintains persistence and spreads without a command-and-control server. The 'cloud' miner is based on the open-source DeroHE CLI project, with hardcoded wallet and node addresses. This campaign differs from previous attacks on Kubernetes clusters by actively spreading and compromising more networks. The threat highlights the importance of securing containerized infrastructures and monitoring for malicious activities.