New P2Pinfect botnet malware targets Redis servers

New P2Pinfect botnet malware targets Redis servers

A novel strain of malware has been observed targeting susceptible Redis servers to ensnare them into a botnet.

Dubbed “P2Pinfect” by its developers, the malware is a peer-to-peer self-replicating worm that comes in versions for both Windows and Linux.

The P2Pinfect malware was initially detailed by researchers at Palo Alto Networks’ Unit 42, who discovered it exploited CVE-2022-0543, a LUA sandbox escape vulnerability present in certain versions of Redis.

The worm uses a number of known Redis exploitation methods for initial access, according to researchers with Cado Security. In the observed attack, a threat actor breached Cado’s honeypot infrastructure by exploiting the replication feature in Redis.

“A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command,” the researchers wrote in a technical report.

The primary payload is an ELF file written in a combination of C and Rust using Rust’s foreign function interface (FFI) library. Upon execution, the binary updates the SSH configuration of the host “to a near default state” allowing the attacker to connect to the server via SSH and enable password authentication.

“P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2. The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder. This is due to the complexity of Rust itself, the inclusion of C code due to the Foreign Function Interface feature, and the lack of tooling available for analysis,” the researchers concluded.


Back to the list

Latest Posts

Russia-linked espionage operation targeting webmail servers via XSS flaws

Russia-linked espionage operation targeting webmail servers via XSS flaws

The campaign exploits XSS vulnerabilities in widely used webmail servers to steal sensitive data from high-value targets.
15 May 2025
Kosovo man extradited to US for running BlackDB.cc criminal marketplace

Kosovo man extradited to US for running BlackDB.cc criminal marketplace

If convicted on all counts, Masurica faces up to 55 years in federal prison.
14 May 2025
Multiple actively exploited zero-days patched in Microsoft, Ivanti, and Fortinet products

Multiple actively exploited zero-days patched in Microsoft, Ivanti, and Fortinet products

Microsoft shipped patches for over 70 flaws, five of which have been flagged as actively exploited zero-day bugs.
14 May 2025