P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances

A well-known botnet is now targeting cloud environments in a more calculated way than before. P2PInfect, a Rust-written peer-to-peer malware active since mid-2023, has been observed compromising Kubernetes clusters by breaking into Redis instances left exposed to the internet.

The campaign marks a notable shift, moving from simple server infections to persistent footholds inside managed cloud infrastructure.

P2PInfect has built a strong reputation for going after Redis, an in-memory data store widely used in web applications and cloud environments.

The malware exploits misconfigured Redis setups, often abusing the database’s built-in replication feature to enroll compromised nodes into its peer-to-peer mesh network.

Once inside, infected hosts begin communicating with other botnet peers, slowly growing the network while waiting for further instructions.

The botnet also leverages CVE-2022-0543, a critical Lua sandbox escape vulnerability with a perfect CVSS score of 10.0, to gain code execution on vulnerable Redis instances.

Researchers at Fortinet’s FortiGuard Labs said in a report shared with Cyber Security News that they analyzed several P2PInfect compromises across Google Kubernetes Engine (GKE) clusters, revealing a multi-stage infection chain that begins with an exposed Redis service and ends with a dormant but fully enrolled bot.

The findings make clear how a single misconfiguration can silently and quietly open the door to a persistent threat inside cloud environments.

The impact of this campaign extends well beyond a single infected server. Because Kubernetes clusters often power critical business applications and hold sensitive workload data, a compromised node represents a serious and growing risk.

Organizations running GKE or similar managed platforms without tight network controls are particularly exposed to this kind of quiet, long-term infection.

P2PInfect Botnet Compromises Kubernetes Clusters

The infection begins the moment a Redis instance inside a Kubernetes cluster is reachable without proper access controls in place.

Attackers connect to the exposed service and issue the SLAVEOF command, turning the legitimate Redis node into a follower of a malicious server under their control.

This tricks the node into loading arbitrary modules from attacker infrastructure, giving threat actors a direct path to execute code inside the container.

From November 2025 through February 2026, FortiGuard Labs observed compromised Redis hosts making outbound peer-to-peer mesh connections to multiple external nodes.

The botnet used this network to distribute payloads, gather information about the infected environment, and maintain communication without relying on a centralized command server.

This decentralized design makes disruption difficult since there is no single point to block or shut down.

Once a node was enrolled in the P2P mesh, it stayed relatively quiet, a behavior the researchers described as dormant. The bots appeared to be waiting, ready to receive tasks from operators at any time.

This deliberate patience suggests the campaign may be building a larger infrastructure for future exploitation rather than rushing to deploy ransomware or crypto miners immediately.

Dormant Behavior and the Broader Threat Landscape

P2PInfect’s dormant phase inside Kubernetes environments is what makes it especially difficult to detect. Traditional security tools often flag noisy activity, but a quietly enrolled bot with minimal outbound traffic can sit undetected for months.

Inside a busy cluster running many services, an infected container can blend in without raising immediate alarms.

Earlier versions deployed ransomware that encrypted files and demanded payment in Monero, along with cryptocurrency miners that silently consumed compute resources from infected hosts.

Even while dormant, an enrolled node puts organizations at serious risk since a damaging payload could arrive at any moment.

FortiGuard Labs recommends that teams avoid directly exposing Redis instances to the internet and enforce strict network policies inside Kubernetes clusters to limit pod-to-pod communication.

Regular audits for unauthorized outbound connections and the use of runtime security tools that flag abnormal container behavior are also strongly advised.

Keeping Redis fully patched and restricting the replication feature in production environments can meaningfully reduce the attack surface P2PInfect depends on to spread.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.