FortiGuard Labs found persistent P2Pinfect infections inside Google Kubernetes Engine clusters, traced back to exposed Redis instances and long-dormant botnet activity that can later deliver miners or ransomware. The campaign expanded to use Metro4Shell and possibly RediShell for initial access, with overlap to React2Shell mining activity and identified P2Pinfect deployment artifacts and peer infrastructure. #P2Pinfect #GoogleKubernetesEngine #Metro4Shell #RediShell #React2Shell
Keypoints
- FortiGuard Labs observed persistent P2Pinfect activity in multiple Google Kubernetes Engine clusters at customer environments, including one compromise lasting six months.
- The initial foothold came from exposed Redis instances, showing how a single cloud misconfiguration can lead to long-term compromise.
- No second-stage payload was executed in the observed cases, but P2Pinfect is known to stay dormant before delivering ransomware or crypto miners.
- A new deployment script,
deplyoer.sh, was identified installing P2Pinfect clients and retrieving binaries from a remote host. - The botnetâs peer infrastructure overlapped with clients linked to CVE-2025-11953, also known as Metro4Shell, expanding its exploitation beyond Redis to React.
- Low-confidence evidence suggests P2Pinfect may also be leveraging CVE-2025-49844, or RediShell, while infected hosts were vulnerable to it.
- Four exposed Redis nodes were also associated with cryptominers from a separate React2Shell exploitation campaign.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application â The attackers gained initial access by exploiting exposed Redis and React-related vulnerabilities (âexposed Redis instancesâ, âusing Metro4Shell as an initial access vectorâ).
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell â A shell script was used to retrieve and launch the P2Pinfect client (âThis shell-based dropper retrieves a P2Pinfect client binaryâ).
- [T1105 ] Ingress Tool Transfer â The malware downloaded its client binary from a remote server (âretrieves a P2Pinfect client binary from http://8[.]210[.]50[.]65:60126/linuxâ).
- [T1027 ] Obfuscated Files or Information â The payload used packing and encoded arguments to conceal behavior (âUPX-packed Rust executableâ, âbase64-encoded argument blobâ).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools â The botnetâs P2P design and dormancy help resist takedown and detection (âhighly resilient to sinkholing and infrastructure takedownsâ, âremain dormant for extended periodsâ).
- [T1090.002 ] Proxy: External Proxy â P2P peer infrastructure was used to route botnet communications and distribute binaries (âpeer-to-peer (P2P) architectureâ, âjoin the botnet meshâ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â The malware used HTTP-based retrieval and peer communication patterns (âretrieves a P2Pinfect client binary from http://âŚâ).
- [T1204 ] User Execution â A deployed client was executed after retrieval by the dropper (âIt then executes the binaryâ).
- [T1057 ] Process Discovery â The text notes monitoring of running workloads and execution evidence, consistent with identifying active processes (âdetects when your systems execute known-vulnerable codeâ).
- [T1496 ] Resource Hijacking â The campaign included cryptominers and compute hijacking behavior (âhosting and deploying crypto minersâ, âCompute Hijackingâ).
- [T1055 ] Process Injection â Some variants reportedly have usermode rootkit capabilities, implying stealthy process manipulation (âSome variants ⌠have usermode rootkit capabilitiesâ).
- [T1611 ] Escape to Host â RediShell and related Redis sandbox escapes enabled execution outside the intended sandbox (âbypass the Lua sandboxâ, âsandbox escape vulnerabilityâ).
- [T1068 ] Exploitation for Privilege Escalation â Exploitation of sandbox escape flaws was used to gain native execution (âgranting native code executionâ).
Indicators of Compromise
- [IP addresses ] P2Pinfect peer infrastructure and payload hosting, plus bootstrap nodelist records â 8[.]210[.]50[.]65, 8[.]218[.]225[.]42, and 2 more IPs
- [File hashes ] Deployment script and client binaries recovered from the campaign â 80676a539765a9e117f20b6b99887eca, 5d1ca537c4bedebf2f4d276d4199ea95, and 3 more hashes
- [File names ] Deployment and payload artifacts used by the botnet â
deplyoer.sh,/top/RarF51vUe0 - [URLs ] Binary download source used by the dropper â http://8[.]210[.]50[.]65:60126/linux
- [Ports ] Non-standard peer communication and payload delivery ports â 60126, plus other non-standard peer ports
- [Vulnerability identifiers ] Exploitation vectors linked to botnet spread â CVE-2025-11953, CVE-2025-49844, CVE-2022-0543