Threat Watch

New Kubernetes Malware Backdoors Clusters Via Windows Containers

A researcher at Unit 42 has discovered a new malware that has been active for over a year. The malware has been named Siloscape and is the first malware that has been seen exploiting known vulnerabilities impacting web servers and databases with the end goal of compromising Kubernetes nodes and backdooring clusters. Kubernetes was initially developed by Google and is currently maintained by the Cloud Native Computing Foundations. It is an open-source system that helps automate the deployment, scaling, and management of containerized workloads, services, and apps over clusters of hosts. According to researchers, Siloscape is heavily obfuscated and targets Kubernetes clusters through Windows containers. This is the first time that researchers have observed Kubernetes targeted through Windows—more often, Kubernetes clusters are targeted through Linux due to how often Linux is used in cloud environments. Once it compromises the web servers, Siloscape uses various container escape tactics to achieve code execution on the underlying Kubernetes node. The malware will then probe the node for credentials to try and spread to other nodes. In the final stage of infection, the malware established a Command and Control (C2) server connection through an IRC server over the Tor network.


Most malware targeting cloud environments has an end goal of crypto-mining, but, in this case, the malware is being used to open the way for its operators to abuse the compromised cloud infrastructure leaving the victims vulnerable to ransomware, credentials theft, data exfiltration, and supply chain attacks. Researchers recommend that Kubernetes admins are advised to switch from Windows containers to Hyper-V containers and ensure that their cluster is securely configured to prevent malware like Siloscape from deploying new malicious containers.

IOC’s can be found here:

More can be read here: