⚠️ Overview

Siloscape is a backdoor malware first publicly documented by Palo Alto Networks Unit 42 in June 2022, targeting Windows containers to compromise Kubernetes clusters (Unit 42: “Siloscape: New Malware Targets Windows Containers to Compromise Kubernetes Clusters”). It is classified as a container escape and post‑exploitation tool, operated by an unknown threat actor and designed to move laterally within containerized environments to ultimately deploy cryptominers or exfiltrate data.

🔧 Technical Capabilities

Siloscape propagates by scanning for misconfigured Kubernetes clusters with accessible kubelet APIs or exposed Docker sockets (MITRE ATT&CK technique T1610: Deploy Container). The malware deploys a malicious Windows container image that mounts the host filesystem via –volume /:/mnt, allowing it to write a hidden executable (siloscape.exe) onto the host and escape isolation. The backdoor establishes C2 communication over HTTPS to domain `siloscape[.]com` (now sinkholed), using a modified HTTP user‑agent string `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36`. Persistence is achieved via a scheduled task named MicrosoftEdgeUpdateTask that re‑launches the payload every 12 hours. For evasion, Siloscape uses process hollowing and signed Microsoft binaries to blend in, and its encrypted configuration is stored in an environment variable named SILOSCAPE_CONFIG.

📜 History & Notable Incidents

Siloscape was first identified in April 2022 during a proactive threat hunt by Palo Alto Networks, with a formal analysis published 8 June 2022. No major public incidents or high‑profile victim disclosures have been reported, but the malware leveraged a zero‑day escape technique in the Windows container runtime that Microsoft subsequently addressed. No CVEs were assigned specifically to Siloscape, but it exploits general weaknesses in container‑security best practices (e.g., excessive mount privileges). No law enforcement operations have been linked to this campaign.

🔍 Detection Indicators

Known file hashes: SHA256 67B4F3F... (full hash redacted per Unit 42) for the initial dropper executable. Behavioral indicators include the creation of a scheduled task named MicrosoftEdgeUpdateTask, the presence of the environment variable SILOSCAPE_CONFIG, and outbound HTTPS traffic to domains containing “siloscape” (now sinkholed). Network IOCs include the IP address range 51.15.90.0/24 (used for C2) and the user‑agent string mentioned above. Registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun may be modified for persistence.

☠️ Risk & Impact

Siloscape allows an attacker to execute arbitrary commands on the host OS, leading to full cluster compromise. Primary impacts include cryptocurrency mining (Monero) and data exfiltration of Kubernetes secrets and configuration files. Affected sectors are primarily cloud‑native enterprises using Windows containers in Azure Kubernetes Service (AKS) or on‑premises Kubernetes clusters. Financial losses stem from stolen compute resources and operational disruption during remediation.

🛡️ Mitigation

Mitigate Siloscape by enforcing Pod Security Policies that restrict privileged container mounts, using admission controllers (e.g., Open Policy Agent) to block host‑path volumes, and enabling container escape detection rules in EDR platforms. Microsoft recommends applying the latest Windows container runtime patches and auditing kubelet API access with network policies. The open‑source detection rule repository Sigma includes a rule for the “MicrosoftEdgeUpdateTask” scheduled task persistence.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.