Badredis2s
Badredis2s is a modular, plugin-based backdoor Trojan identified as the backdoor component of the RingH23 server-side compromise framework attributed in the reporting to the Funnull cybercriminal group, also known as Fangneng CDN. It is also referenced by the filenames ring04h_office_bin and office_bin. The malware targets Linux server environments compromised through RingH23 infection chains, including attacks in which a GoEdge CDN management node is first compromised and used to push payloads to downstream edge nodes over SSH, as well as campaigns linked to poisoned MacCMS update infrastructure that deploy related server-side malware. Badredis2s provides long-term remote access over AES-128-CBC encrypted WebSocket tunnels and is described as dynamically retrieving primary C2 addresses from Microsoft Azure Blob Storage. If primary connectivity is blocked, it falls back to DNS tunneling using the open-source iodine tool; reporting also states it uses WSS-over-TLS first and can use a hardcoded backup C2. Reported Badredis2s-associated C2 domains include linuxdistro[.]net, debianhacks[.]net, fedoraforums[.]net, ubuntucommands[.]com, ntp[.]asia, ntporg[.]com, sbindns[.]com, and plusedns[.]com. In the broader RingH23 campaign, Badredis2s operated alongside other Linux components including infect_init, download_init, the Badnginx2s malicious Nginx module, and the Badhide2s LD_PRELOAD userland rootkit. The overall activity was reported to affect CDN infrastructure and large numbers of streaming/movie-related sites, enabling malicious JavaScript injection, traffic redirection to gambling and pornographic sites, and cryptocurrency wallet address swapping.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The most technically advanced component is the Badredis2s backdoor (ring04h_office_bin), which communicates over AES-128-CBC encrypted WebSocket tunnels..."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
"Funnull pursued two separate infection routes. In the first, attackers compromised a GoEdge CDN management node... forcing all connected edge nodes to download and execute the RingH23 toolkit. In the second path, the group poisoned the official update channel of maccms.la... to deliver a malicious PHP backdoor."
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor component providing persistent C2 via AES-128-CBC encrypted WebSocket tunnels with C2 addresses fetched from Azure Blob Storage; falls back to DNS tunneling using iodine if blocked.
Modular Linux backdoor with Dropper/Client/Plugin architecture. Decrypts XOR(0x23)+Base64 config, retrieves primary C2 via Azure Blob Storage with hardcoded fallback, uses WSS-over-TLS first and falls back to DNS tunneling (iodine-based). Supports remote command execution and plugin delivery (e.g., shell, filemanager, filesearch, filetransport, filedownloader).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.