Representative offices: 

Request callback

Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack


Ukrainian organizations have repeatedly fallen victim to Russian-sponsored cyberattacks. In early 2022, a set of malicious programs called WhisperGatewas launched against a number of government agencies. On February 23 of the same year, Ukraine was threatened by a new Wiper threat called DriveSlayerwhich was disguised as a ransomware program - PartyTicket. But such actions by criminals could not go unanswered.

Between February 27 and March 1, 2022, Docker Engine honeypots were observed to have been compromised in order to execute two different Docker images targeting Russian and Belarusian websites in a denial-of-service (DoS) attack. Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA). The UIA previously called its members to perform distributed denial-of-service (DDoS) attacks against Russian targets. There may be risk of retaliatory activity by threat actors supporting the Russian Federation, against organizations being leveraged to unwittingly conduct disruptive attacks against government, military and civilian websites.

Initial Compromise via Exposed Docker Engine

The honeypot was compromised via an exposed Docker Engine API, a technique that is commonly used by opportunistic campaigns such asLemonDuck or WatchDogto infect misconfigured container engines.

Technical Analysis

The first Docker image that was observed — called abagayev/stop-russia — is hosted on Docker Hub. This image has been downloaded over 100,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure. The Docker image contains a Go-based HTTP benchmarking tool named bombardier with SHA256 hash


that uses HTTP-based requests to stress-test a website. In this case, this tool was abused as a DoS tool that starts automatically when a new container based on the Docker image is created. Upon starting, the target-selection routine picks a random entry from a hard-coded target list. Later versions of this Docker image alternatively pick one of the first 24 entries of the target list, based on the current hour.

Figure 1. Excerpt of targeted websites

The deployed image was updated once on March 1, 2022. The most significant difference between the two versions of this image is that the target list was expanded. The target list contains Russian websites from the following sectors: government, military, media, finance, energy, retail, mining, manufacturing, chemicals, production, technology, advertisements, agriculture, transportation and political parties. Also on March 1, 2022, Belarusian websites from the media, retail, government and military sectors were added to the target list. CrowdStrike Intelligence assesses the activity deploying this Docker image as very likely automated based on closely overlapping timelines in the interaction with the Docker API. This assessment is made with moderate confidence, based on three separate incidents showing analogous timelines.

The second Docker image is named erikmnkl/stoppropaganda. This image has been downloaded over 50,000 timesfrom Docker Hub. Again, the portion of these downloads that originated from compromised machines is unknown. The image contains a custom Go-based DoS program named stoppropaganda that has the following SHA256 hash


that sends HTTP GET requests to a list of target websites that overloads them with requests. The attack focused on Russian and Belarusian websites in the same sectors: government, military, energy, mining, retail, media and finance. Furthermore, three Lithuanian media websites fell victim to the attack.

Figure 2. Excerpt of targeted websites

CrowdStrike Detection

The CrowdStrike Falcon platform protects its customers with its runtime protection and cloud machine learning models from any post-exploitation activities. As can be seen in Figure 3, the malicious DoS process from the erikmnkl/stoppropaganda image gets terminated by Falcon’s cloud-based machine learning model, when running the Docker container on a host with the Falcon Sensor for Linux installed).

Figure 3. CrowdStrike’s cloud-based machine learning model kills the malicious process


Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed UIA that called its members to perform DDoS attacks against Russian targets. CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites.

Indicators of Compromise (IOCs)

Image NameImage Digest

FilenameSHA256 Hash


The following Snort rule can be used to detect HTTP requests sent by erikmnkl/stoppropaganda:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "Detects DoS HTTP request sent by erikmnkl/stoppropaganda tool"; flow:to_server, established; content:"Mozilla/5.0 (Windows NT 10.0|3B| Win64|3B| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"; http_header; content:"GET"; http_method; classtype:trojan-activity; metadata:service http; sid:8001951; rev:20220420;)

iIT Distribution is the official distributor of CrowdStrike solutions
in the territories of Ukraine, Kazakhstan, Georgia and Uzbekistan. At this difficult time, we strongly recommend that you take care of reliable cybersecurity. And we will help in the selection of the optimal protection solution and provide support at all stages of its implementation.


Mobile Marketing