P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances
Cybersecurity NewsArchived May 21, 2026✓ Full text saved
A well-known botnet is now targeting cloud environments in a more calculated way than before. P2PInfect, a Rust-written peer-to-peer malware active since mid-2023, has been observed compromising Kubernetes clusters by breaking into Redis instances left exposed to the internet. The campaign marks a notable shift, moving from simple server infections to persistent footholds inside managed […] The post P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances appeared first o
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances
By Tushar Subhra Dutta
May 21, 2026
A well-known botnet is now targeting cloud environments in a more calculated way than before. P2PInfect, a Rust-written peer-to-peer malware active since mid-2023, has been observed compromising Kubernetes clusters by breaking into Redis instances left exposed to the internet.
The campaign marks a notable shift, moving from simple server infections to persistent footholds inside managed cloud infrastructure.
P2PInfect has built a strong reputation for going after Redis, an in-memory data store widely used in web applications and cloud environments.
The malware exploits misconfigured Redis setups, often abusing the database’s built-in replication feature to enroll compromised nodes into its peer-to-peer mesh network.
Once inside, infected hosts begin communicating with other botnet peers, slowly growing the network while waiting for further instructions.
The botnet also leverages CVE-2022-0543, a critical Lua sandbox escape vulnerability with a perfect CVSS score of 10.0, to gain code execution on vulnerable Redis instances.
Researchers at Fortinet’s FortiGuard Labs said in a report shared with Cyber Security News that they analyzed several P2PInfect compromises across Google Kubernetes Engine (GKE) clusters, revealing a multi-stage infection chain that begins with an exposed Redis service and ends with a dormant but fully enrolled bot.
Attack Chain (Source – Fortinet)
The findings make clear how a single misconfiguration can silently and quietly open the door to a persistent threat inside cloud environments.
The impact of this campaign extends well beyond a single infected server. Because Kubernetes clusters often power critical business applications and hold sensitive workload data, a compromised node represents a serious and growing risk.
Organizations running GKE or similar managed platforms without tight network controls are particularly exposed to this kind of quiet, long-term infection.
P2PInfect Botnet Compromises Kubernetes Clusters
The infection begins the moment a Redis instance inside a Kubernetes cluster is reachable without proper access controls in place.
Attackers connect to the exposed service and issue the SLAVEOF command, turning the legitimate Redis node into a follower of a malicious server under their control.
This tricks the node into loading arbitrary modules from attacker infrastructure, giving threat actors a direct path to execute code inside the container.
From November 2025 through February 2026, FortiGuard Labs observed compromised Redis hosts making outbound peer-to-peer mesh connections to multiple external nodes.
The botnet used this network to distribute payloads, gather information about the infected environment, and maintain communication without relying on a centralized command server.
This decentralized design makes disruption difficult since there is no single point to block or shut down.
Once a node was enrolled in the P2P mesh, it stayed relatively quiet, a behavior the researchers described as dormant. The bots appeared to be waiting, ready to receive tasks from operators at any time.
This deliberate patience suggests the campaign may be building a larger infrastructure for future exploitation rather than rushing to deploy ransomware or crypto miners immediately.
Dormant Behavior and the Broader Threat Landscape
P2PInfect’s dormant phase inside Kubernetes environments is what makes it especially difficult to detect. Traditional security tools often flag noisy activity, but a quietly enrolled bot with minimal outbound traffic can sit undetected for months.
Inside a busy cluster running many services, an infected container can blend in without raising immediate alarms. The botnet has a well-documented history of escalating its capabilities.
RediShell patch adoption and incident timeline (Source – Fortinet)
Earlier versions deployed ransomware that encrypted files and demanded payment in Monero, along with cryptocurrency miners that silently consumed compute resources from infected hosts.
Even while dormant, an enrolled node puts organizations at serious risk since a damaging payload could arrive at any moment.
FortiGuard Labs recommends that teams avoid directly exposing Redis instances to the internet and enforce strict network policies inside Kubernetes clusters to limit pod-to-pod communication.
Regular audits for unauthorized outbound connections and the use of runtime security tools that flag abnormal container behavior are also strongly advised.
Keeping Redis fully patched and restricting the replication feature in production environments can meaningfully reduce the attack surface P2PInfect depends on to spread.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites
Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections
Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks
Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems
New Microsoft Defender 0‑Days Actively Exploited in the Wild
Latest News
Cyber Security News
Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys
Cyber Security
New Microsoft Defender 0‑Days Actively Exploited in the Wild
Cyber Security News
BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites
Cyber Security News
Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access
Cyber Security News
Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack