Siloscape malware threatens cloud environments by targeting Windows containers

Surface Laptop 4 Amd 2021 Keyboard Lights
Surface Laptop 4 Amd 2021 Keyboard Lights (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • A malware that targets Windows containers was discovered in March 2021.
  • The man who found it, Daniel Prizmant, dubbed it "Siloscape."
  • Siloscape aims to steal data and inject cryptocurrency miners.

Unit 42's Daniel Prizmant says he's discovered "the first known malware targeting Windows containers." Unit 42 is the cybersecurity consulting group for Palo Alto Networks that has announced its discovery of Siloscape and disclosed the dangers the malware has for cloud environments as we know them. Though the group has seen malware that goes after containers in Linux "due to the popularity of that operating system in cloud environments," it gives Siloscape the distinction of being the first to go after Windows containers.

"Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers," Prizmant said in his highly technical blog post outlining Siloscape and the threat it poses. "Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers."

Compromising entire clusters means that Siloscape can allow its hacker to cause a lot more trouble than had they just gotten access to a single container by itself. With access to a cluster, a hacker can get a hold of a lot more info, be it usernames, login credentials, or entire databases. Whatever's hosted in the cluster and the apps it's running, Siloscape may exfiltrate.


Source: Palo Alto Networks / Unit 42 (Image credit: Source: Palo Alto Networks / Unit 42)

Exfiltration of stolen data isn't the only activity Siloscape is built for. It can also inject cryptojackers to divert computational resources toward crypto mining activities.

"We identified 23 active Siloscape victims and discovered that the server was being used to host 313 users in total, implying that Siloscape was a small part of a broader campaign," Prizmant stated in his post. "I also discovered that this campaign has been taking place for more than a year."

The post recommends that users take Microsoft's advice on not using Windows containers for security purposes, recommending Hyper-V containers instead. If you want the full scoop on Siloscape, check out the blog post linked above. The key takeaway here is to know that the era of mainstream cloud hacking is upon us.

Robert Carnevale

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to