Cybersecurity researchers are calling consideration to a brand new Linux cryptojacking marketing campaign that is focusing on publicly accessible Redis servers.
The malicious exercise has been codenamed RedisRaider by Datadog Safety Labs.
“RedisRaider aggressively scans randomized parts of the IPv4 house and makes use of official Redis configuration instructions to execute malicious cron jobs on weak methods,” safety researchers Matt Muir and Frederic Baguelin stated.
The tip aim of the marketing campaign is to drop a Go-based main payload that is chargeable for unleashing an XMRig miner on compromised methods.
The exercise entails utilizing a bespoke scanner to determine publicly accessible Redis servers throughout the web after which issuing an INFO command to find out if the cases are working on a Linux host. If it is discovered to be the case, the scanning algorithm proceeds to abuse Redis’s SET command to inject a cron job.
The malware then makes use of the CONFIG command to vary the Redis working listing to “/and many others/cron.d” and write to the situation a database file named “apache” in order that it is periodically picked by the cron scheduler and runs a Base64-encoded shell script, which subsequently downloads the RedisRaider binary from a distant server.
The payload basically serves as a dropper for a bespoke model of XMRig and likewise propagates the malware to different Redis cases, successfully increasing its attain and scale.
“Along with server-side cryptojacking, RedisRaider’s infrastructure additionally hosted a web-based Monero miner, enabling a multi-pronged income era technique,” the researchers stated.
“The marketing campaign incorporates delicate anti-forensics measures, similar to short-key time-to-live (TTL) settings and database configuration modifications, to attenuate detection and hinder post-incident evaluation.”
The disclosure comes as Guardz disclosed particulars of a focused marketing campaign exploiting legacy authentication protocols in Microsoft Entra ID to brute-force accounts. The exercise, noticed between March 18 and April 7, 2025, has been discovered to leverage BAV2ROPC (quick for “Primary Authentication Model 2 – Useful resource Proprietor Password Credential”) to bypass defenses like multi-factor authentication (MFA) and Conditional Entry.
“The monitoring and investigation revealed systematic exploitation makes an attempt that leveraged BAV2ROPC’s inherent design limitations, which predated modern safety architectures,” Elli Shlomo, head of safety analysis at Guardz, stated. “The risk actors behind this marketing campaign confirmed a deep understanding of identification methods.”
The assaults are stated to have originated primarily from Jap Europe and the Asia-Pacific areas, primarily focusing on admin accounts utilizing legacy authentication endpoints.
“Whereas common customers obtained the majority of authentication makes an attempt (50,214), admin accounts and shared mailboxes had been focused at a particular sample, with admin accounts receiving 9,847 makes an attempt throughout 432 IPs over 8 hours, suggesting a mean of twenty-two.79 makes an attempt per IP and a velocity of 1,230.87 makes an attempt per hour,” the corporate stated.
“This means a extremely automated and concentrated assault marketing campaign particularly designed to compromise privileged accounts whereas sustaining a broader assault floor in opposition to common customers.”
This isn’t the primary time legacy protocols have been abused for malicious actions. In 2021, Microsoft divulged a large-scale enterprise electronic mail compromise (BEC) marketing campaign that used BAV2ROPC and IMAP/POP3 to bypass MFA and exfiltrate electronic mail knowledge.
To mitigate the dangers posed by such assaults, it is suggested to dam legacy authentication by way of a Conditional Entry coverage, disable BAV2ROPC, and switch off SMTP AUTH in Alternate On-line if not in use.
