P2PInfect Botnet Exploits Exposed Redis Instances to Compromise Kubernetes Clusters
A sophisticated botnet known as P2PInfect has been actively targeting cloud environments by compromising Kubernetes clusters through exposed Redis instances. This Rust-based, peer-to-peer malware has evolved from infecting individual servers to establishing persistent footholds within managed cloud infrastructures.
Understanding P2PInfect’s Tactics
P2PInfect has a history of exploiting Redis, an in-memory data store widely utilized in web applications and cloud environments. The malware capitalizes on misconfigured Redis setups, particularly those lacking proper access controls, to infiltrate systems. By abusing Redis’s replication feature, P2PInfect enrolls compromised nodes into its peer-to-peer network, facilitating the spread of the infection.
A critical component of P2PInfect’s strategy is the exploitation of CVE-2022-0543, a Lua sandbox escape vulnerability with a CVSS score of 10.0. This vulnerability allows attackers to execute arbitrary code on vulnerable Redis instances, furthering the botnet’s reach and control.
The Infection Process
The attack begins when a Redis instance within a Kubernetes cluster is exposed to the internet without adequate access controls. Attackers connect to the vulnerable service and issue the SLAVEOF command, converting the legitimate Redis node into a follower of a malicious server under their control. This manipulation enables the loading of arbitrary modules from attacker-controlled infrastructure, granting the threat actors the ability to execute code within the container.
Between November 2025 and February 2026, FortiGuard Labs observed compromised Redis hosts establishing outbound peer-to-peer connections to multiple external nodes. This decentralized network design allows the botnet to distribute payloads, gather information about infected environments, and maintain communication without relying on a centralized command server, making disruption efforts more challenging.
Once a node is integrated into the P2P mesh, it remains dormant, awaiting instructions from the botnet operators. This deliberate patience suggests that the campaign is building a larger infrastructure for future exploitation rather than engaging in immediate malicious activities.
Implications for Cloud Security
The impact of P2PInfect’s activities extends beyond individual infected servers. Kubernetes clusters often power critical business applications and house sensitive data, making compromised nodes a significant security risk. Organizations utilizing managed platforms like Google Kubernetes Engine (GKE) without stringent network controls are particularly vulnerable to such stealthy, long-term infections.
Recommendations for Mitigation
To protect against P2PInfect and similar threats, organizations should implement the following measures:
1. Secure Redis Instances: Ensure that Redis instances are not exposed to the internet without proper access controls.
2. Apply Patches Promptly: Regularly update Redis and other software components to address known vulnerabilities, including CVE-2022-0543.
3. Monitor Network Traffic: Implement monitoring solutions to detect unusual outbound connections that may indicate peer-to-peer botnet activity.
4. Restrict Unauthorized Commands: Configure Redis to disable potentially dangerous commands like SLAVEOF to prevent unauthorized replication.
5. Enhance Access Controls: Utilize strong authentication mechanisms and network segmentation to limit access to critical services.
By adopting these practices, organizations can reduce the risk of P2PInfect infiltrations and strengthen their overall cloud security posture.
