{ "id": "7543299b-48d2-4c76-b738-a597d0b631ae", "created_at": "2026-04-06T00:16:37.3473Z", "updated_at": "2026-04-10T03:34:59.795446Z", "deleted_at": null, "sha1_hash": "00dcdb65370a0b56b2e7890e259ec8fb303d6924", "title": "Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1545642, "plain_text": "Exposed Redis Instances Abused for Remote Code Execution,\r\nCryptocurrency Mining\r\nBy By: David Fiser Apr 21, 2020 Read time: 9 min (2435 words)\r\nPublished: 2020-04-21 · Archived: 2026-04-05 13:12:51 UTC\r\nRecently, we wrote an article about more than 8,000 unsecured Redis instancesopen on a new tab found in the cloud. In this\r\narticle, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by\r\nmalware samples captured in the wild. These malicious files have been found to turn Redis instances into cryptocurrency-miningnews- cybercrime-and-digital-threats bots and have been discovered to infect other vulnerable instances via their\r\n“wormlike” spreading capability.\r\nRedis, which is intended to be used in trusted environments, has a protected mode configurationopen on a new tab and is set\r\nto be updated to a new version, Redis 6.0, which will introduce new security features such as access-control lists (ACLs).\r\nHowever, as of now, Redis users with instances that don’t bear Transport Layer Security (TLS) encryption, password\r\nprotection, or both are susceptible to having over 200 commandsopen on a new tab available once attackers get inside the\r\nenvironment. At present, Redis does not have authentication set by default. And even if a password is set, it’s important to\r\nkeep in mind that the password should be strong enough in order to be resistant to brute-force attacks.\r\nWe’ve observed attackers using these scenarios in a honeypot we’ve set up to attract and monitor attackers in the wild:\r\nScenario 1: Abusing the config command\r\nAn attacker sets several keys on a Redis database file as cron tasks. The database values follow a specification of cronopen\r\non a new tab (a daemon that executes scheduled commands) and crontabopen on a new tab (a file that is used to schedule the\r\nexecution of programs) file formats.\r\nopen on a new tabFigure 1. Setting keys as cron tasks\r\nUsing the config command, the attacker sets the directory to /var/spool/cron and the dbfilename to a username (e.g., root)\r\nand saves the database (with the file name root).\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 1 of 12\n\nopen on a new tabFigure 2. Saving the database to cron directories\r\nThe content of the root file name looks like the screenshot below — basically a few readable lines written in the cron file\r\nformat in between binary data.\r\nopen on a new tab\r\nFigure 3. What the cron file name looks like\r\nDespite the fact that the file has a partly binary format, when cron is installed, it finds a valid entry and executes a\r\ndownloaded shell script at the attacker’s discretion — all caused by an unsecured Redis instance.\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 2 of 12\n\nopen on a new tab\r\nFigure 4. An example of an RCE attack performed on an exposed Redis instance using cron\r\nScenario 2: Abusing the slaveof feature\r\nThe second approach is based on the fact that Redis can be used as a distributed databaseopen on a new tab. In this\r\napproach, an attacker first crafts a malicious Redis instance and compiles a malicious Redis module. The crafted Redis\r\ninstance becomes a master server that sends the slaveof commandopen on a new tab to the vulnerable instance. The attacker\r\nthen initiates a full resync from the master and sends the malicious Redis module. Afterward, the module load command is\r\ntriggered, effectively loading a backdoor inside the vulnerable Redis module. This technique was discussed by Pavel\r\nToporkov, a security researcher, in his “Redis Post-exploitation”open on a new tab presentation at the ZeroNights conference\r\nin 2018.\r\nIt should be noted that starting with Redis 5.0, which was released in October 2018, Redis no longer uses the word “slave”\r\nand uses the replicaofopen on a new tab command instead. However, for backward compatibility, the slaveof command still\r\nworks for earlier versions.\r\nopen on a new tabFigure 5. An example of a malicious Redis module registering three commands\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 3 of 12\n\nopen on a new tabFigure 6. An example of a malicious Redis module’s deployment and command call\r\nThe malicious Redis module in this case downloads a version of the Kinsing malwarenews article, which then downloads\r\nand executes the XMRig Monero cryptocurrency mineropen on a new tab.\r\nopen on a new tab\r\nFigure 7. XMRig cryptocurrency miner executed from Redis found to be consuming significant resources\r\nAn overview of observed malware samples\r\nIn this section, we highlight a few notable malware samples that have been distributed in exposed Redis instances via either\r\nof the aforementioned methods, and that have been caught by our honeypots.\r\nCase 1: Multiplatform shell-based worm installing cryptocurrency-mining malware\r\nThe first in-the-wild malware we observed was a newer version of a piece of cryptocurrency-mining malware that was\r\ndetected to have taken advantage of known vulnerabilities in the search engine Elasticsearchopen on a new tab. This\r\nmalware is a multiplatform worm: It has both Linux and Windows versions with a set of scripts written in shell and\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 4 of 12\n\nPowerShell, and some of its components are binaries written in Golang that have been compiled into executable files. The\r\ninfection can be noticed in a modified cron file (as seen in Scenario 1) containing a link to an init.sh file.\r\nInit.sh\r\nThis is the starting or initialization script of the shell-based malware. The important function of this script is to uninstall,\r\nterminate, and kill various resource-intensive and competing processes. This script runs the following tasks:\r\n1. Uninstall the Alibaba Cloud service (an action that may have been inspired by this repositoryopen on a new tab).\r\n2. Uninstall the Tencent agent (an action that may have been inspired by this repositoryopen on a new tab).\r\n3. Delete various files and kill various processes and Docker instances.\r\nopen on a new tab\r\n4. Kill processes that bear the same name as the modules used by this specific malware:\r\nsysguerd\r\nsh\r\nsysupdata\r\nnetworkservics\r\n5. If root, download and install malware files into /etc/, otherwise, use /tmp/. These files are miner, miner config,\r\nwatchdog, update, and scanner.\r\n6. Add persistence through updata.sh, which has the same contents as init.sh and is added to crontab.\r\n7. Install a new Secure Shell (SSH) authorized key into /root/.ssh/authorized_keys:\r\nopen on a new tab\r\n8. Block outgoing traffic to ports 3333, 5555, 7777, and 9999 using the iptables command iptables -A OUTPUT -p tcp –\r\ndport ???? -j DROP.\r\n9. Clear bash history.\r\n10. For all hosts (public keys of previously accessed servers) in /root/.ssh/known_hosts, and if the /root/.ssh/id_rsa.pub\r\nfile exists (a file with the public key of a previously generated SSH key pair), SSH then tries to connect to all of these\r\nknown hosts via ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no. For each successfully\r\nconnected instance, it will download and execute https://\u003cserver\u003e/\u003cpath\u003e/is.sh.\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 5 of 12\n\nopen on a new tab\r\n11. Download and execute https://\u003cserver\u003e/\u003cpath\u003e/is.sh on the affected machine.\r\nIs.sh\r\nThis is an installation script used for performing the following tasks:\r\n1. Kill the following running processes:\r\nredisscanopen on a new tab (a process that recursively scans the keyspace of Redis 2.8)\r\nebscan (a scan process that uses the masscan tool)\r\nredis-cliopen on a new tab (Redis’s command line interface, which allows the sending of commands to Redis and the\r\nreading of the server’s replies directly on the terminal)\r\nbarad_agent (a cloud-related service)\r\nmasscan (a mass IP port scanner)\r\n.sr0\r\nclay\r\nudevs\r\n.sshd (an OpenSSH server process that listens to incoming connections)\r\nxig\r\n2. Install the required software via apt-get or yum package managers. The required software includes redis-tools,\r\niptables, wget, curl, and unhide.\r\n3. Kill hidden processes.\r\n4. Download and install masscanopen on a new tab and pnscanopen on a new tab.\r\n5. Download and execute rs.sh.\r\nRs.sh\r\nThis malicious, custom-made script is used to perform scans for Redis instances, with the following actions. Redis instances\r\nusually listen on port 6379. Two publicly available scanners are used for performing the Redis scanning task.\r\n1. Block all incoming traffic to port 6379 and allow only incoming traffic from the localhost using the iptables\r\ncommand.\r\n2. Create a .dat file that contains the following contents. This method was described in Scenario 1.\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 6 of 12\n\nopen on a new tab\r\n3. Scan port 6379 with pnscan. In this method, pnscan sends bytes *1\\r\\n$4\\r\\ninfo\\r\\n and looks for os:Linux in the\r\nresponse from the scanned machine.\r\n4. Scan port 6379 with masscan. The scan is run with the shardopen on a new tab parameter to randomly choose one of\r\n22,000 IP address subsets.\r\n5. Scan port 6379 with masscan. In this scan, IP addresses from ranges of private IP addresses and ranges belonging to\r\nAlibaba Cloud, Chinanet Shanghai, and China Unicom are used.\r\n6. Scan port 6379 with masscan and take known IP addresses from the current network interfaces (using the ip a\r\ncommand).\r\n7. For active Redis instances (found via the scanning tasks mentioned in 3 to 6), run:\r\nredis-cli -h HOST -p PORT –raw -a PASSWORD –raw \u003ccontent of .dat\u003e\r\nThe list of weak passwords used include:\r\nempty password\r\nredis\r\nroot\r\noracle\r\npassword\r\np@aaw0rd\r\nabc123\r\nabc123!\r\n123456\r\nadmin\r\nAfter a successful connection to the newly found Redis instance, the init.sh script is executed via Scenario 1 and the whole\r\ninfection process is repeated.\r\nWith the exception of the analyzed scripts above, this malware also uses a few binaries.\r\nThe watchdog process, which is a Golang-based compiled file, functions mainly to start four watchdog threads:\r\nmain_dog_protect_cron_thread\r\nThis checks persistence in cron, and if necessary, adds persistence.\r\nmain_dog_protect_process_thread\r\nThis checks if required processes are running, and if not, starts them.\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 7 of 12\n\nmain_dog_update_thread\r\nIf new versions are available, this updates the miner, config, scanner, and watchdog binaries.\r\nmain_dog_protect_cc_thread\r\nThis checks if a command-and-control (C\u0026C) server is active. If it’s not, this looks for a hard-coded address via the\r\nEthereum blockchain explorer.\r\nopen on a new tab\r\nThe blockchain data is then transformed to the new C\u0026C server address, which is a very useful feature especially when\r\nattackers lose their control of the current C\u0026C servers. After a new C\u0026C address is obtained, the thread checks if the server\r\nis active. If it is, the thread appends a hard-coded string with a URL path and downloads the init.ps or init.sh initialization\r\nscripts, and the whole infection process starts again from the beginning.\r\nopen on a\r\nnew tab\r\nAs of the publication of this article, there are no transactions associated with the hard-coded Ethereum address.\r\nopen on a new tab\r\nThe scanner process, which is a Golang-based compiled executable, contains a set of exploits for various online services and\r\ndevices.\r\nThe main_scan procedure calls the following scanning methods:\r\nscan_exp_Cctv_exploit\r\nscan_exp_Redis_exploit\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 8 of 12\n\nscan_exp_Drupal_exploit\r\nscan_exp_Hadoop_exploit\r\nscan_exp_Spring_exploit\r\nscan_exp_Thinkphp_exploit\r\nscan_exp_Weblogic_exploit\r\nscan_exp_Sqlserver_exploit\r\nscan_exp_Elasticsearch_exploit\r\nAlibaba Cloud Security made an analysisopen on a new tab of the scanner module with a list of exploits that is almost\r\nidentical to the list above, with the addition of a new CCTV exploit routine.\r\nIt’s important to note that there is also a version of Case 1 for Windows using PowerShell; the Task Scheduler is used for\r\npersistence, while netsh and net user are used for adding backup entries to the system.\r\nCase 2: Kinsing malware\r\nThe Kinsing malware supports several commands and functions, and has capabilities for both scanning of vulnerable\r\nmachines and backdoor features. The function main_getTask queries \u003cserver\u003e/get/ and enables the execution of a task.\r\nThe function main_doTask then implements the following commands:\r\nCommand Function\r\nscan TCP scanner\r\nupdate Downloads new bot version and runs it\r\nexec Runs from command line\r\nmasscan Downloads and scans with masscan\r\nexec_output Runs from command line; output is POSTed to \u003cserver\u003e/o\r\nSocks Socks proxy\r\nbackconnect Connects to another machine using TCP\r\nrequest Performs HTTP request\r\ntcp Performs TCP request\r\ndownload_and_exec Downloads and executes\r\nredis_brute Brute-forces Redis instances\r\nThe communication with a C\u0026C server is encrypted with a hard-coded Rivest Cipher 4 (RC4) password, and the URL path\r\ndepends on the type of request it sends:\r\n/get = get task\r\n/h = health\r\n/getT = get targets\r\n/l = log\r\n/o = execute output\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 9 of 12\n\n/r = result of the task\r\n/s = send socks\r\n/mg = get cryptocurrency miner’s process ID (PIC), e.g., {“Pid”:110}\r\n/ms = send cryptocurrency miner’s PID\r\nopen on a new tab\r\nFigure 8. Decrypting of a received response to /get path\r\nThe function main_minerRunningCheck runs in sequence with main_getMinerPid, main_isMinerRunning, and\r\nmain_minRun, which first kills a currently running process called kdevtmpfsi, and then drops and runs the miner. This\r\nmalware installs the XMRig malware and names it kdevtmpfsi.\r\nThe function main_healthChecker regularly checks if a C\u0026C server is present by sending the GET request to \u003cserver\u003e/h.\r\nAn RC4-encrypted response returns OK if everything is fine.\r\nThe function main_resultSender tries to POST the results of which tasks are completed to \u003cserver\u003e/r. Communication is\r\nalso RC4-encrypted.\r\nConclusion and security recommendations\r\nProper security measures should be taken, especially within the DevOps environment. Keeping Redis instances unsecured\r\nmay lead to RCE, techniques for which are actively searched for and exploited in the wild by malicious actors. In this\r\narticle, we discussed how exposed Redis instances can be abused for cryptocurrency mining, which is a relatively noisy\r\nprocess that uses a significant amount of resources in an affected device. However, this may not be the be-all and end-all of\r\nthe possible abuse surrounding exposed Redis instances, as the ability to execute code is an attacker’s holy grail. Once RCE\r\nbecomes possible, it can be the first big and detrimental step for malicious actors toward conducting stealthier and more\r\ntargeted attacks.\r\nFor developers, here are several security recommendations for keeping environments better protected:\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 10 of 12\n\nWhen running server-side software, make sure that it is not running under root Even when running containers, users\r\nmust follow best practices and apply the principle of least privilege.\r\nKeep your software updated to the latest version and use strong passwords. Don’t expose it to the internet without\r\napplying proper security measures.\r\nIf you are inspecting Redis logs, you can see ongoing attacks from its actual lines. In the screenshot below, pay\r\nattention to the full resynchronization request from the master. The replica received about 55 kB from the master,\r\nwhich is exactly the size of the malicious Redis module.\r\nopen on a new tab\r\nTrend Micro’s cloud security solutions\r\nThe Trend Micro Hybrid Cloud Security solution simplifies security for organizations, allowing them to focus on\r\nsecurity and compliance as they migrate to the cloud or adopt DevOps. It provides an all-in-one solution that has the\r\nbreadth, depth, and innovation required by cloud security, and a single platform for visibility into leading\r\nenvironments like Amazon Web Services (AWS)products, Microsoft Azure, Google Cloudopen on a new tab,\r\nand Dockeropen on a new tab.\r\nThe Trend Micro™Cloud Oneopen on a new tab™ software-as-a-service (SaaS) platform provides organizations with\r\nreal-time security for workloadsopen on a new tab, applicationsopen on a new tab, containersopen on a new tab,\r\nserverless environments, file storage systemsopen on a new tab, and networksopen on a new tab, and a single-pane-of-glass view of their hybrid cloud environments.\r\nThe Cloud One platform also includes Cloud One – Conformity, which has automated controls for AWS\r\nElasticCache, which is an in-memory data store for Redis. It ensures that Redis isn’t on the default portopen on a new\r\ntab and has encryption for data while in transit and at restopen on a new tab.\r\nFor organizations looking for runtime workload and container security or container image security as software,\r\nthe Deep Security™and Deep Security Smart Checkopen on a new tab solutions can scan container images during\r\npre-deployment and at runtime.\r\nTrend Micro™ Deep Security™ and Vulnerability Protectionopen on a new tab protect users via the following rules:\r\n1010231 – Redis Cron Remote Code Execution Vulnerability\r\n1009967 – Redis Unauthenticated Code Execution Vulnerability\r\nTrend Micro™ TippingPoint®open on a new tab protects customers through the following rules:\r\n37633: TCP: Redis Crontab Command Injection Vulnerability\r\nIndicators of compromise\r\nFile Function SHA-256\r\nclean.bat\r\nAdd user\r\nscript\r\n19967f6467f05f1ac286eb8b8bf7e251075b7d288fbe9b719b8de0b6330c8787\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 11 of 12\n\nconfig.json\r\nMiner\r\nconfig\r\n2c2438019c10352cc6678474072ce57a4191fd6ce54391d4975012f587bec1a0\r\ninit.ps1 Init script d0a28e1f768c524ed3ff962c36ab2861705cdd4fd83ee5b3dc8d897f2034cb05\r\ninit.sh Init script 3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38\r\nis.sh\r\nInstall\r\nscript\r\n6faa026af253c784ef97ffec3a9953055d394061a9a1fbfdcc5b28445b73ffdc\r\nkdevtmpfsi XMrig 24FDF5B1E1E8086031931F2678D874487316DC1E266581B328D6E34A1FD7748C\r\nkinsingbRiXVrNDJc Bot d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b\r\nnetworkservics Scanner ea55a206f7047f54a9e97cc3234848dfd3e49d0b5f9569b08545f1ad0e733286\r\nnetworkservics.exe Scanner b6fc454e667081c2add1ffd5a54bafb428a82d8d8a3e34c61fc59075118f4afd\r\nred2.so\r\nRedis\r\nmodule\r\n1fd17076800d993609a8110084f9652d06fe50cd3a279ab709c65a044076fe6d\r\nrs.sh\r\nRedis\r\nspreader\r\ne2b982f9540304e31ca8d1cdafb253da7d216d1cc939a281a1a95baaa4be9b2d\r\nsysguerd Watchdog bceee7d9ace363ef2bfb1494a9784a6377fe14c4c5fefa0c180fcec33a5d1716\r\nsysguerd.exe Watchdog 37ecccdfc185615d4452b5c77b7313222b14776c3032c156846258c8f63185fe\r\nsysupdata Miner e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7\r\nsysupdata.exe Miner 559a8ff34cf807e508d32e3a28864c687263587fe4ffdcefe3f462a7072dcc74\r\nupdata.ps1 Update d0a28e1f768c524ed3ff962c36ab2861705cdd4fd83ee5b3dc8d897f2034cb05\r\nupdata.sh Update 3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38\r\nMultiplatform worm C\u0026C servers\r\nhttps://178[.]157[.]91.26\r\nhttps://45[.]137[.]151.106\r\nKinsing C\u0026C servers\r\nhttps://45[.]10[.]88.102\r\nhttps://91[.]215[.]169.111\r\nhttps://139[.]99[.]50.255\r\nhttps://193[.]33[.]87.220\r\nhttps://195[.]123[.]220.193\r\nUpdated as of 7 p.m. PT to update Trend Micro solutions.\r\nSource: https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nhttps://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html" ], "report_names": [ "exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434597, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00dcdb65370a0b56b2e7890e259ec8fb303d6924.pdf", "text": "https://archive.orkl.eu/00dcdb65370a0b56b2e7890e259ec8fb303d6924.txt", "img": "https://archive.orkl.eu/00dcdb65370a0b56b2e7890e259ec8fb303d6924.jpg" } }