P2PInfect
P2PInfect is a Rust-written, self-propagating malware family and decentralized peer-to-peer worm/botnet first observed in mid-2023. It primarily targets Redis instances exposed to the internet, including unauthenticated or vulnerable deployments, and has also been observed compromising Kubernetes environments, including Google Kubernetes Engine (GKE) clusters. Reported Redis tradecraft includes abuse of misconfigured replication via the SLAVEOF command and exploitation of CVE-2022-0543; FortiGuard also linked some P2PInfect activity to exploitation of CVE-2025-11953 (Metro4Shell) against React Native Metro servers, and assessed with low confidence that CVE-2025-49844 (RediShell) may also have been incorporated as an access vector.
The malware uses a resilient P2P mesh rather than centralized C2, with peer communications over non-standard ports and bootstrap node lists embedded in malware arguments. Payload delivery has been observed via uniform peer-hosted paths such as /Linux, /Windows, and /IP. Recovered samples in the cited cluster were Rust binaries generally packed with UPX. A FortiGuard-observed deployment script, deployer.sh/deplyoer.sh (MD5: 80676a539765a9e117f20b6b99887eca), downloaded a Linux x86_64 client from http://8[.]210[.]50[.]65:60126/linux, wrote it to /top/RarF51vUe0, and dropped a sample with MD5 5d1ca537c4bedebf2f4d276d4199ea95. Additional reported sample hashes include Linux client MD5 a1a35afebb585917675534de3d610c93 and Windows client MD5 08ad2c2877edda9a050b81d011c1c003. FortiGuard reported the malware processed a base64 argument blob with ChaCha20 using an all-zero key and nonce, serving as obfuscation, and that decrypted data contained structured bootstrap peer IP:port records.
Operationally, P2PInfect has shown long-lived persistence: FortiGuard documented infections in GKE clusters at several client companies, including one compromise lasting six months, with no second-stage payload executed in the monitored environments. The malware has been described as capable of remaining dormant for extended periods before later delivery of ransomware and cryptominers, and some variants reportedly include usermode rootkit capabilities. Reporting also states there is evidence P2PInfect may function as a botnet-for-hire platform where other actors deploy their own second-stage payloads.
Observed follow-on activity associated with P2PInfect includes deployment of Monero cryptominers and ransomware on internet-exposed, unpatched Redis servers. Separate reporting on Linux SSH honeypot activity found P2PInfect to be the dominant attack source in Q1 2026, accounting for 70.3% of observed attack sources, and noted that the malware also includes a basic SSH password sprayer. Targeted environments explicitly mentioned in the content include Linux systems, Windows systems, Redis servers, React Native Metro servers, Kubernetes clusters, and cloud-hosted GKE environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
RediShell has the same sandbox escape vulnerability as CVE-2022-0543, a confirmed vector of P2Pinfect, and the infected hosts were vulnerable to it. | FortiGuard Labs recently identified persistent P2Pinfect presences within Google Kubernetes Engine (GKE) clusters at several client companies... While our telemetry indicated that no second-stage payload was ever executed, this botnet has been observed in the wild to remain dormant for extended periods before delivering ransomware and crypto miners.
We also observed that some infected Redis nodes contacted P2Pinfect peers that were deployed by exploiting CVE-2025-11953 (aka Metro4Shell, a React vulnerability) in November 2025. | FortiGuard Labs recently identified persistent P2Pinfect presences within Google Kubernetes Engine (GKE) clusters at several client companies... While our telemetry indicated that no second-stage payload was ever executed, this botnet has been observed in the wild to remain dormant for extended periods before delivering ransomware and crypto miners.
FortiGuard Labs recently identified persistent P2Pinfect presences within Google Kubernetes Engine (GKE) clusters at several client companies... While our telemetry indicated that no second-stage payload was ever executed, this botnet has been observed in the wild to remain dormant for extended periods before delivering ransomware and crypto miners. | We also speculate with low confidence that P2Pinfect botnet might have incorporated CVE-2025-49844 (aka RediShell) in their repertoire.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe infection begins the moment a Redis instance inside a Kubernetes cluster is reachable without proper access controls in place. Attackers connect to the exposed service and issue the SLAVEOF command...
“The compromises originated from exposed Redis instances, which allowed the botnet to gain an initial foothold.” | the botnet successfully incorporated the critical Metro4Shell vulnerability affecting React Native development servers
Execution
4 techniquesthese open database configurations left enterprise clusters entirely vulnerable to remote command execution
This shell-based dropper retrieves a P2Pinfect client binary from http://8[.]210[.]50[.]65:60126/linux and writes it to /top/RarF51vUe0... It then executes the binary with a large base64-encoded argument blob.
These clients were further linked to active exploitation of CVE-2025-11953, a critical unauthenticated remote code execution vulnerability in the React Native Metro development server, publicly designated “Metro4Shell”.
Persistence
2 techniquesThe infection begins the moment a Redis instance inside a Kubernetes cluster is reachable without proper access controls in place. Attackers connect to the exposed service and issue the SLAVEOF command...
P2Pinfect has been observed in the wild abusing the SLAVEOF command to turn discovered open nodes into followers of the attacker’s server, thereby gaining code execution.
Privilege Escalation
1 techniqueRediShell (CVE-2025-49844) is a critical RCE that allows an authenticated user to bypass the Lua sandbox by sending a maliciously crafted script to manipulate the garbage collector, thereby granting native code execution.
Stealth
4 techniquesSome variants of the P2Pinfect clients also have usermode rootkit capabilities.
The base64 argument blob passed to the binary at execution is processed through a ChaCha20 stream cipher before use. However, the encryption key and nonce are both composed entirely of zero bytes, rendering the encryption effectively decorative and serving as an obfuscation layer.
Once a node was enrolled in the P2P mesh, it stayed relatively quiet, a behavior the researchers described as dormant. The bots appeared to be waiting, ready to receive tasks from operators at any time.
Credential Access
2 techniquesP2Pinfect primarily spreads by exploiting Redis vulnerabilities and also includes a basic SSH password sprayer.
P2Pinfect primarily spreads by exploiting Redis vulnerabilities and also includes a basic SSH password sprayer.
Discovery
2 techniquesThe botnet used this network to distribute payloads, gather information about the infected environment, and maintain communication without relying on a centralized command server.
Lateral Movement
1 techniqueSeveral peer nodes were independently flagged for SSH and exploit attacks.
Command and Control
5 techniquesOnce inside, infected hosts begin communicating with other botnet peers, slowly growing the network while waiting for further instructions.
P2Pinfect is a self-propagating malware strain that combines worm-like spreading capabilities with a decentralized botnet architecture. This peer-to-peer (P2P) architecture makes it highly resilient to sinkholing and infrastructure takedowns.
“P2Pinfect is a resilient botnet that uses a peer-to-peer mesh of compromised computers to eliminate single points of failure, making it significantly harder to sinkhole and take down.”
This shell-based dropper retrieves a P2Pinfect client binary from http://8[.]210[.]50[.]65:60126/linux and writes it to /top/RarF51vUe0.
P2PInfect peers’ communication occurs over non-standard ports.
Impact
2 techniquesWhile our telemetry indicated that no second-stage payload was ever executed, this botnet has been observed in the wild to remain dormant for extended periods before delivering ransomware and crypto miners.
The malware remains dormant for extended periods and has been observed hosting and deploying crypto miners and ransomware in the wild.
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A resilient Rust-based peer-to-peer botnet/worm that compromises exposed Redis instances and other targets, maintains persistence through a decentralized mesh architecture, and is reportedly rented out to other criminals for deploying follow-on payloads such as ransomware or crypto miners.
A Rust-based peer-to-peer botnet malware that targets exposed or vulnerable Redis instances, abuses Redis replication and CVE-2022-0543 for code execution, enrolls hosts into a decentralized mesh, and can maintain dormant persistence in Kubernetes and cloud environments. The content also notes earlier versions deployed ransomware and cryptocurrency miners.
A Rust-based self-propagating P2P botnet/worm that primarily spreads via Redis exploitation and SSH password spraying. It targets Linux, Windows, containers, Kubernetes, and routers, can remain dormant for long periods, and has been observed delivering second-stage payloads including ransomware and crypto miners. Some variants also have usermode rootkit capabilities.
A self-propagating Rust-based malware strain that combines worm-like spreading with a decentralized peer-to-peer botnet architecture. It primarily spreads via Redis exploitation and SSH password spraying, can remain dormant for long periods, and has been observed delivering second-stage payloads such as ransomware and crypto miners. Some variants also have usermode rootkit capabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.