{"id":51636,"date":"2023-04-26T00:00:00","date_gmt":"2023-04-26T00:00:00","guid":{"rendered":"urn:uuid:43d8a539-e136-ce62-821a-dea5c807a9d7"},"modified":"2023-04-26T00:00:00","modified_gmt":"2023-04-26T00:00:00","slug":"attackers-use-containers-for-profit-via-trafficstealer","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/","title":{"rendered":"Attackers Use Containers for Profit via TrafficStealer"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trafficstealer-piggybacks-on-containers-for-traffic-monetization-cloud-pua.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"cloud,cyber crime,privacy &amp; risks,network,articles, news, reports,cyber threats\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-04-26\"> <meta property=\"article:tag\" content=\"cloud\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer.html\"> <title>Attackers Use Containers for Profit via TrafficStealer<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer.html\"><br \/>\n<meta property=\"og:title\" content=\"Attackers Use Containers for Profit via TrafficStealer\"><br \/>\n<meta property=\"og:description\" content=\"We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trafficstealer-piggybacks-on-containers-for-traffic-monetization-cloud-pua.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Attackers Use Containers for Profit via TrafficStealer\"><br \/>\n<meta name=\"twitter:description\" content=\"We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trafficstealer-piggybacks-on-containers-for-traffic-monetization-cloud-pua.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.416452686638\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"296887738\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.7428571428571\">\n<div class=\"article-details\" role=\"heading\" readability=\"34.842857142857\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.<\/p>\n<p class=\"article-details__author-by\">By: Alfredo Oliveira <time class=\"article-details__date\">April 26, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"45.53125\">\n<div readability=\"37.208333333333\">\n<p>Our team deploys <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/container\">containers<\/a> and containerized honeypots to monitor any unwanted activities, as well as to reinforce <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/virtualization-and-cloud\/cloud-security-key-concepts-threats-and-solutions\">cloud security<\/a> solutions and recommendations. While these honeypots frequently capture cryptocurrency miners trying to exploit computational resources, we recently discovered a different type of attack: a piece of <a href=\"https:\/\/traffmonetizer.com\/\">software<\/a> that leverages Docker containers to generate money through monetized traffic. Although the piece of software itself appears to be legitimate, it likely has compromised components that result in monitoring as a potentially unwanted application (<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/potentially-unwanted-app\">PUA<\/a>).<\/p>\n<p>During analysis, we noticed a dataset captured by one of our honeypots; this is unusual, as we did not program our honeypots to do so. Instead of cryptocurrency-mining software or Linux commands likely running reconnaissance, however, we found an unfamiliar program running in the background \u2014 a container using our lab network to generate money by driving traffic to specific websites and engaging with ads. The attackers had turned our honeypot into a revenue-generating machine for themselves, but they also left some valuable information behind, allowing us to gain a better understanding of their tactics and gather valuable learnings from this experience.<\/p>\n<p>From the JavaScript Object Notation (JSON) honeypot log we got, we identified information on the targeted IP address, country, traffic movement from the honeypot, timestamp of when the attacks were conducted, token, environment path, and actions taken with the container. We are also continuously monitoring the development of this routine because, as of this writing, the Docker image is still publicly available for download.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer\/figure-1-attackers-use-containers-for-profit-via-trafficstealer.jpg\" alt=\"fig1-attackers-use-containers-for-profit-via-trafficstealer\"><figcaption>Figure 1. The JSON file with details of the compromise that happened on the third week of March<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<p>One trend that has developed over time is the tendency of attackers to now use either established services or base images rather than crafting their own container image, publishing it, and pulling from their repositories. What we are seeing now is an increased use of those valid images, with the infection or malicious routine starting on or after the deployment through variables and parameters. In this case, YAML structures can be helpful to automate these attacks.<\/p>\n<p><span class=\"body-subhead-title\">How it works<\/span><\/p>\n<p>The container image we spotted in our environment is published by a service that offers \u201ctraffic monetization.\u201d The term can be applied in a broader sense and mean different types of services, but in this case, the service promises to pay users who are willing to install the piece of software that takes traffic from various mobile app users and proxies it via this container app. Supposedly, the subscriber receives some money in return for routing their network traffic through the subscriber\u2019s own network. Upon signing up for the service, the user receives a unique token that serves as an ID, which will later be configured and used for retrieving the possible revenue.<\/p>\n<p>Once the attacker\u2019s piece of software or container is installed or run, there is no visibility on the traffic using the subscriber\u2019s device as proxy.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer\/figure-2-attackers-use-containers-for-profit-via-trafficstealer.jpg\" alt=\"fig2-attackers-use-containers-for-profit-via-trafficstealer\"><figcaption>Figure 2. Regular service routine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Losing visibility over what is running through the network is a bad idea, but running these kinds of services unknowingly can create an even worse scenario. In the case of our honeypot (and similar to previous attacks that exploited vulnerabilities and misconfigurations to deploy coinminers using containers), this service can be weaponized for attackers to generate revenue. Instead of targeting the CPU, however, the target here is the network traffic to take advantage of victims and generate money.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer\/figure-3-attackers-use-containers-for-profit-via-trafficstealer.jpg\" alt=\"fig3-attackers-use-containers-for-profit-via-trafficstealer\"><figcaption>Figure 3. Potential attack routine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"50\">\n<div readability=\"45\">\n<p>The piece of software, which we have dubbed &#8220;TrafficStealer,&#8221; operates using a combination of techniques. Under the assumption that we are running the container and the application ourselves, the developers claim there is nothing illegal in the traffic; however, they also claim to not own any of the traffic generated on the client.<\/p>\n<p>The following are some examples of typically routed traffic on these services:<\/p>\n<ol>\n<li><b>Web crawling.<\/b> This involves scanning the internet for websites that have a high potential for ad revenue. The cybercriminals then target these sites, driving traffic to them through the network.<\/li>\n<li><b>Click simulation.<\/b> Once the targeted websites have been identified, the software generates fake clicks on the ads displayed on those sites. This increases the perceived engagement with the ads, leading to higher ad revenue for the attackers.<\/li>\n<\/ol>\n<p>All the traffic exchanged with the server is encrypted, and the communication uses an unusual TCP port, which can make activities dubious. Legitimate clients trying to measure the performance of their ads not only have to pay for traffic utilization but also have unknown traffic being routed through their respective networks.<\/p>\n<p>The official service requires the user to create an account for generating a token to be used as a parameter, as well as a unique ID to run the service locally. The attacker that used it on our environment hard-coded their token, passing it as a parameter on container creation.<\/p>\n<p>Looking for a similar behavior on code repositories, we found examples of this same behavior on Dockerfile and <i>docker-compose.yaml<\/i> files. In some instances, the same behavior could be observed even on cloud pipeline YAML files. YAML configuration files provide structure in giving software configurations and parameters to applications and software, while the cloud pipeline allows for the automation of cloud services\u2019 deployment, run, and modification. In this specific case, the developers and publishers of these YAML files automated the process to publish the configuration file and automatically deploy it to the cloud. This results in faster malware service deployment, automation, and most importantly, attack scaling. Given these files and behaviors, the more runners are deployed, the higher the income collected by the attacker.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer\/figure-4-attackers-use-containers-for-profit-via-trafficstealer.jpg\" alt=\"fig4-attackers-use-containers-for-profit-via-trafficstealer\"><figcaption>Figure 4. Public Docker file (top), \u201ccloud-pipeline.yaml\u201d (middle), and docker-compose.yaml files (bottom) with a hard-coded token<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Another aspect of the intrusion that caught our attention was the fact that the attacker never created a TTY (a telephone typing command-line interface input terminal where the user interacts with the machine without a graphic interface), which is usually a sign of automated attacks. When attackers want to conduct reconnaissance, or when the attack is more targeted, it is common to see the TTY parameter as \u201cTrue.\u201d In cases of automated and container attacks that are analogous as worm attacks, these options are often &#8220;False.\u201d<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer\/figure-5-attackers-use-containers-for-profit-via-trafficstealer.png\" alt=\"fig5-attackers-use-containers-for-profit-via-trafficstealer\"><figcaption>Figure 5. Showing the option for interaction terminal being set to &#8220;False\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>One of these services offers a comprehensive web dashboard where an attacker can monitor how the infected nodes are working, including some information about the operating system and the IP address.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer\/figure-6-attackers-use-containers-for-profit-via-trafficstealer.jpg\" alt=\"fig6-attackers-use-containers-for-profit-via-trafficstealer\"><figcaption>Figure 6. Service dashboard showing details from the environment and traffic revenue<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>The image that was used to infect our honeypot was pulled 500,000 times from Docker Hub alone, processing 15 MB in a matter of seconds. From that data reference, it is hard to estimate how many legitimate sites are running it willingly on their respective environments.<\/p>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>The discovery of this containerized TrafficStealer highlights how threat actors adapt their techniques to take advantage of new and popular platforms. In our own honeypot run and study of the data, 500,000 containers were pulled from a single image at some point in time either for running the container or for inflating the numbers. For some of the subscribers who are aware and supposedly profiting from this service, they might not be reaping the promised returns on capital expenses such as the initial subscription they paid for cloud services. However, some unwitting users might be running it and generating revenue for attackers unknowingly. This implies losses in charges made for cloud services. Moreover, the users did not authorize the piece of software to run on their respective environments (specifically as a PUA), and thereby likely have no control over the traffic that uses the network as a proxy. If the network is being used for criminal activities, the IP address of either the unwitting user or organization is the one that is logged.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer\/figure-7-trafficstealer-piggybacks-containers-traffic-monetization.jpg\" alt=\"fig7-attackers-use-containers-for-profit-via-trafficstealer\"><figcaption>Figure 7. Public container advertising easy money and supported platforms (top) and another public container logging more than 500,000 pulls (middle); we also found this routine on GitHub Actions (GHA) that ran for 10 hours proxying unknown traffic<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41\">\n<div readability=\"27\">\n<p>In addition, the use of either established services or base images (instead of crafting an entirely new one and publishing it) helps automate attacks with this scope. While it does not give a heightened advantage, it is comparable to using compose for benign processes and helping with automation. While we\u2019ve only found Docker currently being abused, the majority of container-powered platforms, such as Kubernetes and Amazon Elastic Container Server (ECS), can also be abused. If routines like these continue running and are not found to be malicious per se, this routine or scheme can yield a profitable sum even for short periods for those deploying it.<\/p>\n<p>We have yet to complete our analysis to understand the scope and breadth of this technique and routine, but we continue to monitor this technique and deployment to understand the possible illicit activities that can abuse it. To mitigate the risks that threats like TrafficStealer can pose to systems, networks, and containers, here are some best practices we recommend:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Employ zero-trust security&nbsp;on all container environments.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Do not leave container APIs&nbsp;unsecured.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Implement a container authorization policy. No container should be allowed to run without being scanned, signed, and approved.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Include and\/or implement an antimalware scan policy for container images.<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Indicator of Compromise (IOC)<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"2\">\n<tr>\n<th scope=\"col\">SHA256<\/th>\n<th scope=\"col\">Description<\/th>\n<th scope=\"col\">Detection<\/th>\n<\/tr>\n<tr readability=\"4\">\n<td>856963cece315dea93a685a9cc76cc2c75a8625694c03c3e15a2bc1a7876606c<\/td>\n<td>traffmonetizer.dmg<\/td>\n<td>Proxyware.MacOS.TraffMoney.A<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/d\/attackers-use-containers-for-profit-via-trafficstealer.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":51637,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9521,9511,9523,9536],"class_list":["post-51636","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-network","tag-trend-micro-research-privacyrisks"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Attackers Use Containers for Profit via TrafficStealer 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Attackers Use Containers for Profit via TrafficStealer 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-04-26T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trafficstealer-piggybacks-on-containers-for-traffic-monetization-cloud-pua.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Attackers Use Containers for Profit via TrafficStealer\",\"datePublished\":\"2023-04-26T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/\"},\"wordCount\":1626,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/attackers-use-containers-for-profit-via-trafficstealer-scaled.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Network\",\"Trend Micro Research : Privacy&amp;Risks\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/\",\"name\":\"Attackers Use Containers for Profit via TrafficStealer 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/attackers-use-containers-for-profit-via-trafficstealer-scaled.jpg\",\"datePublished\":\"2023-04-26T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/attackers-use-containers-for-profit-via-trafficstealer-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/attackers-use-containers-for-profit-via-trafficstealer-scaled.jpg\",\"width\":2560,\"height\":1008},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-use-containers-for-profit-via-trafficstealer\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Attackers Use Containers for Profit via TrafficStealer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attackers Use Containers for Profit via TrafficStealer 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/","og_locale":"en_US","og_type":"article","og_title":"Attackers Use Containers for Profit via TrafficStealer 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-04-26T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/trafficstealer-piggybacks-on-containers-for-traffic-monetization-cloud-pua.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Attackers Use Containers for Profit via TrafficStealer","datePublished":"2023-04-26T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/"},"wordCount":1626,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/04\/attackers-use-containers-for-profit-via-trafficstealer-scaled.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Network","Trend Micro Research : Privacy&amp;Risks"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/","url":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/","name":"Attackers Use Containers for Profit via TrafficStealer 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/04\/attackers-use-containers-for-profit-via-trafficstealer-scaled.jpg","datePublished":"2023-04-26T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/04\/attackers-use-containers-for-profit-via-trafficstealer-scaled.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/04\/attackers-use-containers-for-profit-via-trafficstealer-scaled.jpg","width":2560,"height":1008},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/attackers-use-containers-for-profit-via-trafficstealer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Attackers Use Containers for Profit via TrafficStealer"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51636"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51636\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/51637"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}