We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware.