{ "id": "7d5e5970-ef53-4d2c-a997-86f60686b209", "created_at": "2026-04-06T00:09:12.999963Z", "updated_at": "2026-04-10T03:34:59.775197Z", "deleted_at": null, "sha1_hash": "92fa8220e78baab4a4e686370664a5d9071678e4", "title": "P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 768248, "plain_text": "P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm\r\nBy William Gamazo, Nathaniel Quist\r\nPublished: 2023-07-19 · Archived: 2026-04-05 17:59:18 UTC\r\nExecutive Summary\r\nOn July 11, 2023, Unit 42 cloud researchers discovered a new peer-to-peer (P2P) worm we call P2PInfect. Written\r\nin Rust, a highly scalable and cloud-friendly programming language, this worm is capable of cross-platform\r\ninfections and targets Redis, a popular open-source database application that is heavily used within cloud\r\nenvironments. Redis instances can be run on both Linux and Windows operating systems. Unit 42 researchers\r\nhave identified over 307,000 unique Redis systems communicating publicly over the last two weeks, of which 934\r\nmay be vulnerable to this P2P worm variant. While not all of the 307,000 Redis instances will be vulnerable, the\r\nworm will still target these systems and attempt the compromise.\r\nThe P2PInfect worm infects vulnerable Redis instances by exploiting the Lua sandbox escape vulnerability, CVE-2022-0543. While the vulnerability was disclosed in 2022, its scope is not fully known at this point. However, it is\r\nrated in the NIST National Vulnerability Database with a Critical CVSS score of 10.0. Additionally, the fact that\r\nP2PInfect exploits Redis servers running on both Linux and Windows operating systems makes it more scalable\r\nand potent than other worms. The P2P worm observed by Unit 42 researchers serves as an example of a serious\r\nattack threat actors could conduct using this vulnerability.\r\nP2PInfect exploits CVE-2022-0543 for initial access and then drops an initial payload that establishes P2P\r\ncommunication to a larger P2P network. Once the P2P connection is established, the worm pulls down additional\r\nmalicious binaries such as OS-specific scripts and scanning software. The infected instance then joins the P2P\r\nnetwork to provide access to the other payloads to future compromised Redis instances.\r\nExploiting CVE-2022-0543 in this way makes the P2PInfect worm more effective at operating and propagating in\r\ncloud container environments. This is where Unit 42 researchers discovered the worm by it compromising a Redis\r\ncontainer instance within our HoneyCloud environment, which is a set of honeypots that we use to identify and\r\nstudy novel cloud-based attacks across public cloud environments.\r\nUnit 42 believes this P2PInfect campaign is the first stage of a potentially more capable attack that leverages this\r\nrobust P2P command and control (C2) network. There are instances of the word “miner” within the malicious\r\ntoolkit of P2PInfect. However, researchers did not find any definitive evidence that cryptomining operations ever\r\noccurred. Additionally, the P2P network appears to possess multiple C2 features such as “Auto-updating” that\r\nwould allow the controllers of the P2P network to push new payloads into the network that could alter and\r\nenhance the performance of any of the malicious operations. Unit 42 researchers will continue to monitor for\r\nchanges and update accordingly.\r\nPalo Alto Networks customers receive protections against the types of threats discussed in this article through\r\nproducts including:\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 1 of 10\n\nPrisma Cloud\r\nAdvanced WildFire\r\nCloud-Delivered Security Services for the Next-Generation Firewall, including Advanced URL Filtering\r\nand Advanced Threat Prevention.\r\nIf you believe you have been compromised by P2PInfect, the Unit 42 Incident Response team can provide a\r\npersonalized response.\r\nSelf-replicating Peer-to-Peer Worm\r\nUnit 42 discovered the first known instance of P2PInfect on July 11, 2023, using our HoneyCloud environment,\r\nwhich is a set of honeypots that we use to identify and study novel cloud-based attacks across public cloud\r\nenvironments.\r\nThe P2PInfect worm uses a P2P network to support and facilitate the transmission of malicious binaries. We chose\r\nthe name because the term P2PInfect appears in the leaked symbols reflecting the malware author project\r\nstructure, as shown in Figure 1.\r\nFigure 1. Artifacts of the Windows version, names and Redis module.\r\nAll collected samples of the P2P worm are written in Rust, a highly scalable and cloud-friendly programming\r\nlanguage. This allows the worm to be capable of cross-platform infections that target Redis instances on both\r\nLinux and Windows operating systems (please note that Redis does not officially support the Windows OS).\r\nThe worm infects vulnerable Redis instances using the Lua sandbox escape vulnerability, CVE-2022-0543. The\r\nfirst exploit for this particular vulnerability was published in March 2022, which resulted in the connection of the\r\ninfected Redis instance to the Muhstik botnet. However, the P2PInfect worm appears to be associated with a\r\ndifferent malicious network, not known to be related to the Muhstik botnet.\r\nAfter initial infection through the exploitation of the Lua vulnerability, an initial payload is executed that\r\nestablishes a P2P communication to the larger C2 botnet, which serves as a P2P network for delivering other\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 2 of 10\n\npayloads to future compromised Redis instances. Once the P2P connection is established, the worm pulls down\r\nadditional payloads, such as a scanner. The newly infected instance then joins the ranks of the P2P network to\r\nprovide scanning payloads to future compromised Redis instances.\r\nExploiting CVE-2022-0543 makes P2PInfect effective in cloud container environments. Containers have a\r\nreduced set of functionalities – for example, they do not have “cron” services. Many of the most active worms\r\nexploiting Redis use a technique to achieve remote code execution (RCE) using cron services. This technique does\r\nnot work in containers. P2PInfect incorporates the exploit for CVE-2022-0543 with the intention of covering as\r\nmany vulnerable scenarios as possible, including cloud container environments.\r\nThe following sections will cover details about the exploitation payloads, the behavior of P2PInfect, and some of\r\nthe details of the P2P network protocol.\r\nSince the P2PInfect worm is newly discovered, we have focused here on providing an overview of its behavior\r\nand the P2P architecture it supports, as well as basic sample analysis. However, additional analysis and study is\r\nwarranted in future research.\r\nExploitation of CVE-2022-0543\r\nP2PInfect currently exploits the Lua sandbox escape vulnerability CVE-2022-0543 for initial access. This\r\nvulnerability has been used in previous attacks such as Muhstik and Redigo, both of which resulted in the\r\ncompromised Redis instances participating in denial-of-service (DoS), flooding and brute-forcing attacks against\r\nother systems.\r\nThis exploit vector follows a similar pattern to what has been seen previously. However, the post-exploit\r\noperations of P2PInfect are significantly different from the previous uses of the vulnerability. It is important to\r\nnote that this vulnerability is not a Redis application vulnerability — it is specifically a Lua sandbox vulnerability.\r\nWhile this campaign does target vulnerable Redis instances and perform worm-like operations, there are no\r\nknown links to other threat actor groups known for targeting Redis and deploying worms, such as Automated\r\nLibra (aka PurpleUrchin), Adept Libra (aka TeamTNT), Thief Libra (aka WatchDog), Money Libra (aka Kinsing),\r\nAged Libra (aka Rocke) or Returned Libra (aka 8220).\r\nHow P2PInfect Leverages CVE-2022-0543 to Infect Vulnerable Redis Instances\r\nThe P2PInfect worm’s initial infection vector – exploiting Redis through CVE-2022-0543 – is not common among\r\nother cryptojacking-focused worms known to target Redis instances, such as those created by Adept Libra (aka\r\nTeamTnT), Thief Libra (aka WatchDog) threat actors or the ones delivering Money Libra (aka Kinsing) variants.\r\nThese groups use alternative Redis vulnerabilities or misconfigurations in order to operate.\r\nCVE-2022-0543 is a vulnerability with the Lua library related to the way Redis is packaged and delivered by\r\nDebian Linux package management. As such, it only affects users of Redis who use the Debian or derived\r\n(Ubuntu and others) distributions. Due to the focus on the OS and leveraging a subcomponent of Redis to\r\ncompromise, P2PInfect’s exploitation efforts are therefore complex. Figure 2 shows an example of a captured\r\nexploit for CVE-2022-0543.\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 3 of 10\n\nFigure 2. Example of the P2PInfect exploit on the Debian OS.\r\nWithin the above image, one can see how the vulnerability is being weaponized. By using network requests\r\nthrough /dev/tcp, as seen on line four, the threat actor connects to a C2 IP address, written as ip-cnc over port\r\n60100. Port 60100 is one of the P2P communication ports used by P2PInfect to maintain C2 communication. The\r\ninitial payload, also seen on line four, sets the GET request to the directory /linux, which is the main dropper\r\nmaintaining the core functionality of the P2PInfect worm. Other binaries are distributed within the P2P network,\r\nas we are going to see later in the article.\r\nNetwork Communication Behavior\r\nP2PInfect uses its P2P network to distribute follow-up malware to newly infected systems or cloud instances.\r\nWhen a system is first compromised, it will make a network connection to the P2P network and download the\r\nsamples for the custom protocol to be used. As Figure 3 illustrates, the command: GET /linux, is followed by the\r\nimage download of the core P2PInfect functionality.\r\nFigure 3. Network communication protocol displaying the download of P2PInfect.\r\nBoth Linux and Windows OS P2PInfect samples communicate in the same manner. The following samples were\r\ndownloaded from the P2P network in plaintext: linux, miner, winminer and windows (see Figure 4).\r\nFigure 4. List of the malware samples pulled from the P2P network.\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 4 of 10\n\nOnce the core P2PInfect sample finishes execution, the payload will start scanning for additional hosts to\r\ncompromise. The scanning operation focuses on exposed Redis hosts. However, researchers also found that\r\ncompromised Redis instances also perform scanning attempts over port 22, SSH. While it is not clear why this\r\nscanning operation is taking place, as there are no known exploitation attempts by P2PInfect to compromise SSH,\r\nit is not altogether uncommon for port 22 to be scanned post-compromise by other known worms. Please see the\r\nScanning Behavior section for additional details.\r\nNode Communications\r\nThe main dropper communicates with any other listening P2P members on the current list of configured nodes\r\nusing TLS 1.3. The C2 infrastructure is updated when the compromised node sends a json request with all known\r\nnodes to the P2P network. Updates to the C2 infrastructure will automatically be downloaded. The following\r\nimage, Figure 5, shows an example of the nodes update.\r\nFigure 5. P2P nodes update.\r\nThe values with x.x.x.x are the current node IP, or the new learned nodes.\r\nScanning Behavior\r\nFigure 6 illustrates the network scanning behavior of an infected host scanning for exposed SSH instances. These\r\nscanning operations occur across a random netrange selected by the P2PInfect functionality.\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 5 of 10\n\nFigure 6. Scanning traffic for SSH instances.\r\nFigure 7 illustrates the P2PInfect scanning operations for exposed Redis instances.\r\nFigure 7. Scanning traffic for Redis instances.\r\nOther Observations of P2PInfect\r\nSome of the initial payload P2PInfect samples delivered to exploited systems were packed with UPX, while the\r\nsecond-stage malware samples, miner and winminer, were not UPX packed.\r\nAfter the first dropper runs, it starts decrypting the configuration received from a command line, with information\r\nabout other nodes in the P2P network. We found that the P2P port was variable – a design choice that allows the\r\nattack to be resilient to blocking and network firewall mitigation techniques (see Figure 8).\r\nFigure 8. Example of the variable port usage of P2PInfect.\r\nAll samples identified by Unit 42 researchers have been written in Rust, and some have “symbols leaked” inside,\r\nwhich gives indicators about the malware authors’ project structure. For example, the windows sample main\r\nexecution thread leaks the name of the project as well as the file directory usage of the threat actor (see Figure 9).\r\nFigure 9. Analysis pulled from the core Windows P2PInfect sample.\r\nWe also identified a PowerShell script designed to establish and maintain communication between the\r\ncompromised host and the P2P network. The PowerShell script leveraged the encode command to obfuscate the\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 6 of 10\n\ncommunication initiation (see Figure 10).\r\nFigure 10. Obfuscated PowerShell command to establish P2P network connection.\r\nOne of the first operations performed by the PowerShell command is to configure the local system firewall to\r\nblock legitimate access to or from the compromised Redis application (see line five of Figure 11). Then (starting\r\non line 17 in Figure 11), the script opens a communication port for the threat actor to access the compromised\r\ninstance. This is a form of persistence, allowing the threat actors to maintain access to the infected host and keep it\r\noperable.\r\nFigure 11. Modifying the network traffic rules of a compromised Windows instance.\r\nOf note from the decoded PowerShell, shown in Figure 11, are the following firewall configuration settings:\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 7 of 10\n\nPeer-to-peer port is 60102 – this port is variable, as not all nodes use the same port\r\nRedis port 6379 is only allowed to connect known C2 IPs\r\nThe firewall rule is named Microsoft Sync\r\nThe Monitor Process\r\nAnother interesting feature of the initial P2PInfect payload when running in Windows OS is a process called the\r\nMonitor. The Monitor process fulfills the role of maintaining the functionality of the P2PInfect running processes\r\non the infected host. The Monitor is dumped to C:\\Users\\username\\AppData\\Local\\Temp\\cmd.exe (see Figure 12\r\nfor an example of the Monitor (cmd.exe) enumerating system running processes).\r\nFigure 12. The P2PInfect Monitor sample, cmd.exe process tree.\r\nAfter launching the Monitor (cmd.exe), the initial P2PInfect payload downloads new versions of itself from the\r\nP2P network and persists them with random names into the same original folder and an encrypted configuration is\r\ndropped (.conf) (see Figure 13).\r\nFigure 13. Example of the random filenames.\r\nThe new P2PInfect download versions are executed, and the scanning operations to locate additional vulnerable\r\nRedis instances starts. The initial P2PInfect dropper will attempt to delete itself (see Figure 14).\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 8 of 10\n\nFigure 14. Deletion of the core P2PInfect payload.\r\nConclusion\r\nThe P2PInfect worm appears to be well designed with several modern development choices. Key among these is\r\nthe use of the Rust language, which provides resilient capabilities and the flexibility to allow the worm to rapidly\r\nspread across multiple operating systems.\r\nThe design and building of a P2P network to perform the auto-propagation of malware is not something\r\ncommonly seen within the cloud targeting or cryptojacking threat landscape. At the same time, we believe it was\r\npurpose-built to compromise and support as many Redis vulnerable instances as possible across multiple\r\nplatforms.\r\nWe have caught several samples within our HoneyCloud platform, across multiple geographic regions, and we\r\nstrongly believe the number of P2P nodes is growing. This is due to the volume of potential targets – over 307,000\r\nRedis instances communicating publicly over the last two weeks – and since the worm was able to compromise\r\nmultiple of our Redis honeypots across disparate regions. However, we don't have an estimate yet of how many\r\nnodes exist or how fast the malicious network associated with P2PInfect is growing.\r\nWe recommend that organizations monitor all Redis applications, both on-premises and within cloud\r\nenvironments, to ensure they do not contain random filenames within the /tmp directory. Additionally, DevOps\r\npersonnel should continually monitor their Redis instances to ensure they maintain legitimate operations and\r\nmaintain network access. All Redis instances should also be updated to their latest versions or anything newer\r\nthan redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2 and redis/5:7.0~rc2-2.\r\nPalo Alto Networks customers receive protections against the types of threats in the following ways:\r\nPrisma Cloud is capable of identifying the runtime environment of any cloud Redis instance to ensure it\r\ndetects and prevents the unknown and malicious execution of the P2PInfect worm.\r\nCloud-Delivered Security Services for the Next-Generation Firewall include a variety of protections.\r\nAdvanced URL Filtering blocks malicious IoCs related to this worm.\r\nAdvanced Threat Prevention can block the attacks with Best Practices via Threat Prevention signatures\r\n92349 and 93004.\r\nThe Advanced WildFire cloud-delivered malware analysis service accurately identifies known samples as\r\nmalicious.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 9 of 10\n\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Samples\r\nLinux:\r\n88601359222a47671ea6f010a670a35347214d8592bceaf9d2e8d1b303fe26d7\r\nMiner:\r\nb1fab9d92a29ca7e8c0b0c4c45f759adf69b7387da9aebb1d1e90ea9ab7de76c\r\nWindows:\r\n68eaccf15a96fdc9a4961daffec5e42878b5924c3c72d6e7d7a9b143ba2bbfa9\r\nWinMiner:\r\n89be7d1d2526c22f127c9351c0b9eafccd811e617939e029b757db66dadc8f93\r\nIPs\r\n35.183.81[.]182\r\n66.154.127[.]38\r\n66.154.127[.]39\r\n8.218.44[.]75\r\n97.107.96[.]14\r\nCNC Requests\r\nGET /linux\r\nGET /linux_sign\r\nGET /miner\r\nGET /miner_sigg\r\nGET /winminer\r\nGET /winminer_sign\r\nGET /windows_sign\r\nGET /windows\r\nUpdated July 20, 2023, at 1:08 p.m. PT.\r\nSource: https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nhttps://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/" ], "report_names": [ "peer-to-peer-worm-p2pinfect" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7618565f-b8b8-4e33-b25e-3e89fdc444dd", "created_at": "2023-01-06T13:46:39.434955Z", "updated_at": "2026-04-10T02:00:03.326016Z", "deleted_at": null, "main_name": "Returned Libra", "aliases": [ "8220 Mining Group" ], "source_name": "MISPGALAXY:Returned Libra", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434152, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/92fa8220e78baab4a4e686370664a5d9071678e4.pdf", "text": "https://archive.orkl.eu/92fa8220e78baab4a4e686370664a5d9071678e4.txt", "img": "https://archive.orkl.eu/92fa8220e78baab4a4e686370664a5d9071678e4.jpg" } }