Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise
Essential information
- Published
- 20/05/2026 22:36
- Modified
- 21/05/2026 16:50
- Tags
- 2026-05-20 CVE-2022-0543 CVE-2025-11953 CVE-2025-49844 botnet cryptomining kubernetes metro4shell p2pinfect peer-to-peer ransomware redis exploitation
- Related entities
- 3 vulnerabilities (cve), 25 observables, 20 techniques (mitre), 1 malware
Description
An investigation identified persistent P2Pinfect botnet presence within Google Kubernetes Engine clusters at multiple organizations, with one compromise lasting six months. The intrusions originated from exposed Redis instances that provided initial access. The botnet utilizes a peer-to-peer architecture for resilience against takedowns and operates as a botnet-for-hire platform. While no second-stage payloads were executed in observed cases, the malware has been linked to ransomware and cryptocurrency mining deployment. A new deployment script was discovered, and evidence suggests P2Pinfect has expanded exploitation techniques to include CVE-2025-11953 (Metro4Shell) targeting React vulnerabilities. Possible incorporation of CVE-2025-49844 (RediShell) is speculated. The campaign demonstrates how single misconfigurations enable long-term compromise in cloud environments.