惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
爱范儿
爱范儿
H
Help Net Security
Last Week in AI
Last Week in AI
The Cloudflare Blog
博客园 - 三生石上(FineUI控件)
小众软件
小众软件
IT之家
IT之家
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
Jina AI
Jina AI
Google DeepMind News
Google DeepMind News
B
Blog
C
Check Point Blog
T
Tailwind CSS Blog
云风的 BLOG
云风的 BLOG
D
Docker
Recent Announcements
Recent Announcements
Vercel News
Vercel News
博客园 - 聂微东
阮一峰的网络日志
阮一峰的网络日志
MyScale Blog
MyScale Blog
The GitHub Blog
The GitHub Blog
Stack Overflow Blog
Stack Overflow Blog
雷峰网
雷峰网
人人都是产品经理
人人都是产品经理
月光博客
月光博客
F
Fortinet All Blogs
Blog — PlanetScale
Blog — PlanetScale
B
Blog RSS Feed
The Register - Security
The Register - Security
V
Visual Studio Blog
F
Full Disclosure
Hugging Face - Blog
Hugging Face - Blog
T
Threat Research - Cisco Blogs
Latest news
Latest news
PCI Perspectives
PCI Perspectives
Cisco Talos Blog
Cisco Talos Blog
博客园 - Franky
D
DataBreaches.Net
A
Arctic Wolf
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
Google Developers Blog
P
Palo Alto Networks Blog
Engineering at Meta
Engineering at Meta
Microsoft Azure Blog
Microsoft Azure Blog
T
Tenable Blog
L
LINUX DO - 热门话题
Spread Privacy
Spread Privacy

Fortinet All Blogs

The TTF Trap: A Global Campaign of a Low-Detection Lua Loader | FortiGuard Labs Helping Law Enforcement Keep Pace with the Future of Cybercrime | Fortinet Blog FortiEndpoint Expands Security for the AI Era | Fortinet Blog Cyber Attacks Leveraging AI Require Behavior-First Security Training, Not Simply Better Awareness | Fortinet Blog The AI Era Needs a New SASE. Here’s What That Actually Looks Like. | Fortinet Blog Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula | FortiGuard Labs Update on Fortinet Use of Frontier AI | CISO Collective Fortinet Supports INTERPOL Operation CyberProtect III Targeting Online Exploitation From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach | FortiGuard Labs Fortinet Launches Its Product Carbon Footprint Calculator FortiSASE Training Builds Skills for Secure Access Success | Fortinet Blog Analysis of Reported Credential Compromise of FortiGate Devices | Fortinet Blog Teaching Cybersecurity the Way It’s Actually Used | Fortinet Blog Introducing FortiSOC: One Platform, Total Control | Fortinet Blog Public-Private Cooperation Is Critical to AI-Driven Cyber Defense | Fortinet Advancing Threat-Informed Defense through Fortinet’s Collaboration with MITRE CTID | Fortinet Threat Actors Weaponize AI Hype to Deliver AsyncRAT | FortiGuard Labs Fortinet Achieves 1 Million People Trained in Cybersecurity Goal Ahead of Schedule | Fortinet Blog While OT Security Is Maturing, Risk Is Not Slowing Down | Fortinet Blog AI Policy Meets Operational Reality: White House AI Cybersecurity Order Calls for Public-Private Coordination | Fortinet Blog Executive Q&A: Strong Q1 Momentum Driven by Differentiated Innovation and Customer Demand | Fortinet Fortinet Earns AV-Comparatives Certification for EDR Detection Visibility | Fortinet Blog Cybercriminals Are Targeting the FIFA World Cup 2026 | FortiGuard Labs Fortinet Achieves AV-Comparatives Certification for Process Injection Protection | Fortinet Blog Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | FortiGuard Labs Battling AI-Based Threats with FortiNDR | Fortinet Blog Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data Defending Critical Infrastructure: Why OT Security Demands a Threat-Informed Approach | CISO Collective Fortinet Expands Cybersecurity Investment in the United Arab Emirates | Fortinet Blog PureLogs: Delivery via PawsRunner Steganography | FortiGuard Labs The Future of Connectivity | Fortinet Blog Fortinet at the World Economic Forum: Frontier AI models, AI-Driven Threats, Deepfakes, and the Future of Cyber Defense | Fortinet Blog The Fortinet 2025 Sustainability Report | Fortinet Blog Supercharged Security: Security in the Time of Mythos | CISO Collective Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign | FortiGuard Labs AI Security Is an Architectural Decision | Fortinet Blog Fortinet Training Institute Wins Industry Accolades | Fortinet Blog Shadow AI: The Invisible Risk Growing Inside Your Organization | Fortinet Blog Leading by Example in Sustainability: Fortinet Expands Global EPD Certification | Fortinet Blog When Cybercrime Becomes an Industry | Fortinet Blog FortiOS 8.0: Redefining Secure Networking in the AI and Quantum Era | Fortinet Blog Securing the Physical World as It Comes Online | Fortinet Blog Why the 2026 AI Cybersecurity Summit Matters | Fortinet Blog DPRK-Related Campaigns with LNK and GitHub C2 | FortiGuard Labs AI Is Changing Application Threats Faster Than Teams Can Adapt | Fortinet Blog Announcing the Fortinet Training Institute’s 2026 ATC Award Winners | Fortinet Blog Disrupting Cybercrime Networks at Scale Requires Sustained Global Collaboration | Fortinet Blog
Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise | FortiGuard Labs
Akshat Pradhan · 2026-05-20 · via Fortinet All Blogs

Affected Platforms: Linux, Windows, containers, Kubernetes
Threat Type: Worm, botnet
Impact: Data Encrypted for Impact, Compute Hijacking
Severity Level: Moderate (early botnet exposure, long periods of dormancy)

FortiGuard Labs recently identified persistent P2Pinfect presences within Google Kubernetes Engine (GKE) clusters at several client companies, with one compromise spanning six months. The compromises originated from exposed Redis instances, which allowed the botnet to gain an initial foothold. The botnet's beaconing was repeatedly flagged in FortiCNAPP's Composite Alerts, underscoring how a single misconfiguration can enable long-term compromise in cloud environments. The IOCs observed across our customers also had significant overlap.

While our telemetry indicated that no second-stage payload was ever executed, this botnet has been observed in the wild to remain dormant for extended periods before delivering ransomware and crypto miners. Some variants of the P2Pinfect clients also have usermode rootkit capabilities.

We identified a new deployment script (deployer.sh 80676a539765a9e117f20b6b99887eca) used to install new P2Pinfect clients. We also observed that some infected Redis nodes contacted P2Pinfect peers that were deployed by exploiting CVE-2025-11953 (aka Metro4Shell, a React vulnerability) in November 2025. This highlights an expansion of P2Pinfect’s exploitation targets, going beyond Redis to also include React. We also speculate with low confidence that P2Pinfect botnet might have incorporated CVE-2025-49844 (aka RediShell) in their repertoire. RediShell has the same sandbox escape vulnerability as CVE-2022-0543, a confirmed vector of P2Pinfect, and the infected hosts were vulnerable to it.

Four of the exposed Redis nodes were also observed to have Crytominers, which was attributed to a separate parallel React2Shell exploitation campaign active in December of 2025.

Threat Background: P2Pinfect

P2Pinfect is a self-propagating malware strain that combines worm-like spreading capabilities with a decentralized botnet architecture. This peer-to-peer (P2P) architecture makes it highly resilient to sinkholing and infrastructure takedowns. Sinkholing is a technique in which malicious botnet traffic is redirected to a controlled environment, or sinkhole, to isolate, disrupt, and neutralize a botnet. This is primarily done by configuring DNS to return a sinkhole IP instead of the attackers' C2. The botnet is written in Rust and was first discovered in mid-2023. 

P2Pinfect primarily spreads by exploiting Redis vulnerabilities and also includes a basic SSH password sprayer. There is some evidence that P2Pinfect operates as a “botnet for hire” platform. The operators focus on scale: maximizing enrollment and maintaining persistent access across as many hosts as possible. Customers purchase access and then deploy their own second-stage payloads. This model is reflected in our telemetry, which shows continuous botnet peer communication without any second-stage payload execution. Extended periods of dormancy are a documented behavior of the P2Pinfect botnet, observed in prior reporting and consistent with operating a large-scale botnet for multiple independent customers. 

P2Pinfect Cluster Analysis

We identified and mapped the botnet peer nodes that were contacted by the compromised hosts by correlating anomalous outbound network connections from infected servers across relevant FortiCNAPP Composite Alerts over the campaign period.  

Analysis of the cluster revealed a consistent operational pattern across the botnet infrastructure. Multiple P2Pinfect variants were identified that are downloaded from and communicate with peer nodes. A deployment shell script was also identified that communicates with multiple peers. Several peer nodes were independently flagged for SSH and exploit attacks.  

P2PInfect peers’ communication occurs over non-standard ports. Payload delivery uses a uniform URI structure across peers (/Linux, /Windows, /IP) and is consistently used to distribute binaries. All P2PInfect samples recovered from this cluster are written in Rust and are generally packed via UPX.

Figure 2: P2Pinfect cluster

Deployment Script 

Script name: deplyoer.sh 

MD5: 80676a539765a9e117f20b6b99887eca 

This shell-based dropper retrieves a P2Pinfect client binary from http://8[.]210[.]50[.]65:60126/linux and writes it to /top/RarF51vUe0 (MD5: 5d1ca537c4bedebf2f4d276d4199ea95). It then executes the binary with a large base64-encoded argument blob. This behavior is consistent with P2Pinfect's documented behavior.

The client binary is a UPX-packed Rust executable targeting Linux x86_64. The base64 argument blob passed to the binary at execution is processed through a ChaCha20 stream cipher before use. However, the encryption key and nonce are both composed entirely of zero bytes, rendering the encryption effectively decorative and serving as an obfuscation layer. Decryption of the byte payload reveals a structured nodelist consisting of a 2-byte header followed by IP:Port records. The records are public IP addresses that constitute the P2P bootstrap peer list used by the malware to join the botnet mesh on first execution. 

We also decoded another argument blob used by one of the P2Pinfect peers that the infected Redis servers contacted, and we observed a similar encryption methodology and nodelist records.

Figure 4: P2Pinfect bootstrap nodelist

The Metro4Shell Connection 

From November 2025 through February 2026, the compromised Redis hosts were observed making outbound P2P mesh connections to numerous peers as part of normal P2Pinfect botnet activity. Six of these peers (8[.]218[.][.]225[.]42, 8[.]210[.]178[.]40, 47[.]86[.]5[.]176, 178[.]62[.]63[.]125, 47[.]237[.]140[.]12, 47[.]83[.]124[.]121) were identified as sharing an identical P2Pinfect Linux client (MD5: a1a35afebb585917675534de3d610c93). Another peer, 47[.]86[.]33[.]195, had a Windows P2Pinfect client (MD5: 08ad2c2877edda9a050b81d011c1c003). These clients were further linked to active exploitation of CVE-2025-11953, a critical unauthenticated remote code execution vulnerability in the React Native Metro development server, publicly designated “Metro4Shell”. 

VulnCheck reported active exploitation of this vulnerability on their honeypot between December 2025 and January 2026. We determined that the payloads delivered through this exploitation were UPX-packed P2Pinfect client binaries for Windows and Linux. These clients overlap with the binaries (a1a35afebb585917675534de3d610c93, 08ad2c2877edda9a050b81d011c1c003) we discovered in our datasets. Additionally, the peer 47[.]86[.]33[.]195 that our infected Redis server communicated with is identical to the payload-hosting infrastructure reported in the VulnCheck report. 

The overlap of these peers and binaries in our telemetry suggests that the P2Pinfect operators had begun using Metro4Shell as an initial access vector to recruit new botnet nodes as of November 16, 2025, the same month this vulnerability was reported and a week after public POCs became available.

The Speculated RediShell Vector

Figure 5: RediShell patch adoption and incident timeline

RediShell (CVE-2025-49844) is a critical RCE that allows an authenticated user to bypass the Lua sandbox by sending a maliciously crafted script to manipulate the garbage collector, thereby granting native code execution.

Our telemetry indicates that the hosts infected with P2Pinfect were vulnerable to RediShell until at least 29 November 2025. The other confirmed Redis exploit that P2Pinfect uses is CVE-2022-0543, another Redis Lua sandbox escape RCE.

On the other hand, P2Pinfect has been observed in the wild abusing the SLAVEOF command to turn discovered open nodes into followers of the attacker’s server, thereby gaining code execution. This could very well be the case for our exposed Redis servers. 

Thus, RediShell is assessed with low confidence as a plausible initial access vector for P2Pinfect, based on two key observations:

  1. RediShell’s similarity to P2Pinfect’s established exploitation techniques. 
  2. The timing of the initial P2Pinfect incidents on misconfigured, unpatched, and internet-exposed Redis hosts is consistent with opportunistic exploitation of a recently disclosed vulnerability prior to widespread patching.

Conclusion 

P2Pinfect is a resilient botnet that uses a peer-to-peer mesh of compromised computers to eliminate single points of failure, making it significantly harder to sinkhole and take down. The malware is written in Rust and targets multiple platforms, including Linux, Windows, and routers. The operators of P2Pinfect remain focused on maximizing enrollment and have expanded their initial access vectors to include Metro4Shell and, speculatively, RediShell.

The timeline of their weaponization of recently disclosed vulnerabilities suggests active development and opportunistic exploitation. The malware remains dormant for extended periods and has been observed hosting and deploying crypto miners and ransomware in the wild. The timeline of this campaign highlights how a single misconfiguration can enable long-term compromise in cloud environments.

Fortinet Protections 

FortiCNAPP helps identify misconfigured cloud environments and runtime threats. It detects compromised Redis nodes making suspicious or anomalous outbound connections. FortiCNAPP also correlates risk across posture, identity, and behavior to help prioritize critical vulnerabilities before they are exploited.

Figure 6: FortiCNAPP Composite Alert

Figure 7: FortiCNAPP polygraph for the Composite Alert

Additional endpoint and network-layer protections are available through Fortinet products including FortiGate, FortiClient, and FortiEDR, all of which utilize the FortiGuard AntiVirus engine for malware detection and prevention. Customers with these products and up-to-date protections are safeguarded against the threats described in this report through the following antivirus signatures:

  • Linux/Agent.XM!tr
  • Linux/Agent.XL!tr
  • W64/GenKryptik.HJPA!tr
  • Riskware/Miner

RiskWatch, a new capability within the FortiCNAPP Agent, continuously monitors running cloud workloads to pinpoint exactly which vulnerabilities attackers can exploit. It detects when your systems execute known-vulnerable code and provides precise evidence of exposure, along with clear remediation steps. 

The FortiGuard IP Reputation and Anti-Botnet Security Service, available on FortiGate and FortiWeb, blocks known malicious source IPs associated with mining operations, C2 activity, and dropper infrastructure. It aggregates data from Fortinet's global threat intelligence network, including FortiSandbox, honeypots, CERTs, and trusted partners.

Organizations are also encouraged to take advantage of Fortinet’s free NSE training module, FCF – Fortinet Certified Fundamentals, which helps users recognize and defend against phishing and other social engineering attacks. 

If you believe this or any other cybersecurity threat has affected your organization, please contact the FortiGuard Incident Response Team for immediate assistance. 

IOCs 

P2Pinfect botnet peers

P2Pinfect argument nodelist

React2Shell exploitation miner payloads