216.73.216.86

Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

· Published 20/05/2026 22:36 · Modified 21/05/2026 16:50

Export JSON

Essential information

Published
20/05/2026 22:36
Modified
21/05/2026 16:50
Tags
2026-05-20 CVE-2022-0543 CVE-2025-11953 CVE-2025-49844 botnet cryptomining kubernetes metro4shell p2pinfect peer-to-peer ransomware redis exploitation
Related entities
3 vulnerabilities (cve), 25 observables, 20 techniques (mitre), 1 malware

Description

An investigation identified persistent presence within Google Engine clusters at multiple organizations, with one compromise lasting six months. The intrusions originated from exposed Redis instances that provided initial access. The utilizes a architecture for resilience against takedowns and operates as a -for-hire platform. While no second-stage payloads were executed in observed cases, the malware has been linked to and cryptocurrency mining deployment. A new deployment script was discovered, and evidence suggests has expanded exploitation techniques to include () targeting React vulnerabilities. Possible incorporation of (RediShell) is speculated. The campaign demonstrates how single misconfigurations enable long-term compromise in cloud environments.

External references