P2Pinfect Botnet Exploits Exposed Redis Instances to Infiltrate Google Kubernetes Engine Clusters
A persistent P2Pinfect botnet campaign has been targeting Google Kubernetes Engine (GKE) clusters by exploiting misconfigured Redis instances, enabling attackers to maintain access for up to six months in some environments. Security researchers at FortiGuard Labs detected the activity, revealing how a single cloud misconfiguration can lead to long-term compromise.
The P2Pinfect malware operates as a self-propagating, peer-to-peer (P2P) botnet, distinguishing itself from traditional botnets by using a decentralized mesh of infected nodes rather than a centralized command-and-control (C2) server. This architecture complicates disruption efforts, as infected systems communicate over non-standard ports, evading detection while maintaining persistence.
The infection chain begins with publicly exposed Redis services, a known attack vector. Attackers deploy a shell-based dropper script (deplyoer.sh), which fetches a UPX-packed Rust binary from a remote server. The payload uses ChaCha20 encryption though with a trivial key and nonce (all zeros) primarily for obfuscation. Once decoded, the binary reveals a list of peer nodes (IP:Port combinations) that integrate the infected system into the botnet.
While no follow-on payloads (e.g., ransomware or cryptominers) were observed in these incidents, P2Pinfect is known to remain dormant before deploying malicious modules. Some variants include user-mode rootkit functionality, enabling stealthy persistence. Fortinet’s telemetry suggests the botnet may function as a "botnet-for-hire", where operators scale infections while third parties deploy custom payloads later.
A notable evolution in this campaign is P2Pinfect’s expansion beyond Redis exploits. Between November 2025 and February 2026, researchers linked botnet peers to CVE-2025-11953 (Metro4Shell), a critical remote code execution (RCE) vulnerability in the React Native Metro server. The rapid weaponization of this flaw shortly after public proof-of-concept (PoC) code emerged demonstrates the botnet’s ability to incorporate newly disclosed vulnerabilities into its attack chain.
Additionally, researchers assessed CVE-2025-49844 (RediShell), a Redis Lua sandbox escape vulnerability, as a plausible but unconfirmed initial access vector. The timing and exposure conditions align with the campaign, though no direct exploitation was verified. Attackers may have also abused Redis replication features (e.g., the SLAVEOF command) to execute malicious code on exposed nodes.
In a related finding, four compromised Redis nodes were simultaneously infected with cryptominers tied to a separate React2Shell campaign active in December 2025, indicating that multiple threat actors may be targeting the same vulnerable cloud environments.
The campaign highlights the risks of exposed cloud services, where a single misconfiguration can grant attackers a persistent foothold. With P2Pinfect continuing to evolve and adopt new exploits, the threat underscores the need for proactive security measures in Kubernetes and cloud environments.
Source: https://gbhackers.com/p2pinfect-botnet-targets-kubernetes/
Google Cloud cybersecurity rating report: https://www.rankiteo.com/company/google-cloud
"id": "GOO1779352039",
"linkid": "google-cloud",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology, Cloud Computing',
'name': 'Google Kubernetes Engine (GKE) Users',
'type': 'Cloud Service Users'}],
'attack_vector': ['Exposed Redis Instances',
'CVE-2025-11953 (Metro4Shell)',
'Possible CVE-2025-49844 (RediShell)'],
'data_breach': {'data_encryption': 'ChaCha20 (trivial key/nonce for '
'obfuscation)'},
'date_detected': '2025-11-01',
'description': 'A persistent P2Pinfect botnet campaign has been targeting '
'Google Kubernetes Engine (GKE) clusters by exploiting '
'misconfigured Redis instances, enabling attackers to maintain '
'access for up to six months in some environments. The '
'P2Pinfect malware operates as a self-propagating, '
'peer-to-peer (P2P) botnet, using a decentralized mesh of '
'infected nodes to evade detection and maintain persistence. '
'The infection chain begins with publicly exposed Redis '
'services, deploying a shell-based dropper script that fetches '
'a UPX-packed Rust binary. The botnet may function as a '
"'botnet-for-hire,' with potential for follow-on payloads like "
'ransomware or cryptominers. The campaign also expanded to '
'exploit CVE-2025-11953 (Metro4Shell) and possibly '
'CVE-2025-49844 (RediShell).',
'impact': {'operational_impact': 'Persistent access for up to six months, '
'potential for follow-on malicious '
'activities',
'systems_affected': 'Google Kubernetes Engine (GKE) Clusters, '
'Redis Instances'},
'initial_access_broker': {'backdoors_established': 'P2Pinfect botnet '
'integration',
'entry_point': 'Exposed Redis Instances',
'high_value_targets': 'Google Kubernetes Engine '
'(GKE) Clusters'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident highlights the risks of exposed cloud '
'services, where a single misconfiguration can grant '
'attackers a persistent foothold. Proactive security '
'measures are critical in Kubernetes and cloud '
'environments.',
'motivation': ['Botnet-for-Hire',
'Potential for Follow-on Payloads (Ransomware, Cryptominers)'],
'post_incident_analysis': {'corrective_actions': ['Secure exposed services',
'Patch vulnerabilities',
'Implement network '
'segmentation',
'Enhance monitoring'],
'root_causes': ['Misconfigured Redis services',
'Exploitation of CVE-2025-11953 '
'(Metro4Shell)',
'Possible exploitation of '
'CVE-2025-49844 (RediShell)']},
'recommendations': 'Secure Redis instances, monitor for exposed services, '
'patch vulnerabilities promptly, and implement network '
'segmentation and enhanced monitoring.',
'references': [{'source': 'FortiGuard Labs'}],
'response': {'third_party_assistance': 'FortiGuard Labs'},
'threat_actor': 'P2Pinfect Botnet Operators',
'title': 'P2Pinfect Botnet Exploits Exposed Redis Instances to Infiltrate '
'Google Kubernetes Engine Clusters',
'type': 'Botnet Infection',
'vulnerability_exploited': ['Misconfigured Redis Services',
'CVE-2025-11953',
'CVE-2025-49844']}