A new campaign has been discovered in which threat actors are targeting vulnerable Docker services. They are deploying the XMRig cryptocurrency miner and the 9Hits Viewer software to monetize their attacks. This is the first known case of malware using the 9Hits application as a payload, indicating that adversaries are diversifying their strategies for financial gain. 9Hits is a web traffic solution that allows users to drive traffic to their sites in exchange for purchasing credits. The malware is spread to vulnerable Docker hosts using search engines like Shodan to identify targets. The attackers breach the servers and deploy malicious containers containing the 9Hits and XMRig software. The 9Hits container is used to generate credits for the attacker by visiting websites, while the XMRig container mines cryptocurrency. This campaign exhausts the resources of compromised hosts and can potentially lead to more serious breaches.