CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

A well-known botnet is now targeting cloud environments in a more calculated way than before. P2PInfect, a Rust-written peer-to-peer malware active since mid-2023, has been observed compromising Kubernetes clusters by breaking into Redis instances left exposed to the internet. The campaign marks a notable shift, moving from simple server infections to persistent footholds inside managed […] The post P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances appeared first o

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances By Tushar Subhra Dutta May 21, 2026 A well-known botnet is now targeting cloud environments in a more calculated way than before. P2PInfect, a Rust-written peer-to-peer malware active since mid-2023, has been observed compromising Kubernetes clusters by breaking into Redis instances left exposed to the internet. The campaign marks a notable shift, moving from simple server infections to persistent footholds inside managed cloud infrastructure. P2PInfect has built a strong reputation for going after Redis, an in-memory data store widely used in web applications and cloud environments. The malware exploits misconfigured Redis setups, often abusing the database’s built-in replication feature to enroll compromised nodes into its peer-to-peer mesh network. Once inside, infected hosts begin communicating with other botnet peers, slowly growing the network while waiting for further instructions. The botnet also leverages CVE-2022-0543, a critical Lua sandbox escape vulnerability with a perfect CVSS score of 10.0, to gain code execution on vulnerable Redis instances. Researchers at Fortinet’s FortiGuard Labs said in a report shared with Cyber Security News that they analyzed several P2PInfect compromises across Google Kubernetes Engine (GKE) clusters, revealing a multi-stage infection chain that begins with an exposed Redis service and ends with a dormant but fully enrolled bot. Attack Chain (Source – Fortinet) The findings make clear how a single misconfiguration can silently and quietly open the door to a persistent threat inside cloud environments. The impact of this campaign extends well beyond a single infected server. Because Kubernetes clusters often power critical business applications and hold sensitive workload data, a compromised node represents a serious and growing risk. Organizations running GKE or similar managed platforms without tight network controls are particularly exposed to this kind of quiet, long-term infection. P2PInfect Botnet Compromises Kubernetes Clusters The infection begins the moment a Redis instance inside a Kubernetes cluster is reachable without proper access controls in place. Attackers connect to the exposed service and issue the SLAVEOF command, turning the legitimate Redis node into a follower of a malicious server under their control. This tricks the node into loading arbitrary modules from attacker infrastructure, giving threat actors a direct path to execute code inside the container. From November 2025 through February 2026, FortiGuard Labs observed compromised Redis hosts making outbound peer-to-peer mesh connections to multiple external nodes. The botnet used this network to distribute payloads, gather information about the infected environment, and maintain communication without relying on a centralized command server. This decentralized design makes disruption difficult since there is no single point to block or shut down. Once a node was enrolled in the P2P mesh, it stayed relatively quiet, a behavior the researchers described as dormant. The bots appeared to be waiting, ready to receive tasks from operators at any time. This deliberate patience suggests the campaign may be building a larger infrastructure for future exploitation rather than rushing to deploy ransomware or crypto miners immediately. Dormant Behavior and the Broader Threat Landscape P2PInfect’s dormant phase inside Kubernetes environments is what makes it especially difficult to detect. Traditional security tools often flag noisy activity, but a quietly enrolled bot with minimal outbound traffic can sit undetected for months. Inside a busy cluster running many services, an infected container can blend in without raising immediate alarms. The botnet has a well-documented history of escalating its capabilities. RediShell patch adoption and incident timeline (Source – Fortinet) Earlier versions deployed ransomware that encrypted files and demanded payment in Monero, along with cryptocurrency miners that silently consumed compute resources from infected hosts. Even while dormant, an enrolled node puts organizations at serious risk since a damaging payload could arrive at any moment. FortiGuard Labs recommends that teams avoid directly exposing Redis instances to the internet and enforce strict network policies inside Kubernetes clusters to limit pod-to-pod communication. Regular audits for unauthorized outbound connections and the use of runtime security tools that flag abnormal container behavior are also strongly advised. Keeping Redis fully patched and restricting the replication feature in production environments can meaningfully reduce the attack surface P2PInfect depends on to spread. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems New Microsoft Defender 0‑Days Actively Exploited in the Wild Latest News Cyber Security News Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys Cyber Security New Microsoft Defender 0‑Days Actively Exploited in the Wild Cyber Security News BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites Cyber Security News Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access Cyber Security News Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗