The P2PInfect botnet, a sophisticated piece of malware written in Rust, has been actively targeting cloud infrastructures since mid-2023. This botnet is now focusing on Kubernetes clusters by exploiting publicly accessible Redis instances. This shift represents a significant evolution in its tactics, moving from basic server infections to establishing a lasting presence within managed cloud platforms.
Exploiting Redis for Botnet Expansion
P2PInfect has gained notoriety for its focus on Redis, a widely used in-memory data store in cloud environments and web applications. By exploiting misconfigured Redis setups, the botnet leverages the database’s replication feature to integrate compromised nodes into its peer-to-peer mesh network. Once infiltrated, these hosts communicate with other infected peers, steadily expanding the botnet while awaiting further directives.
A key vulnerability exploited by P2PInfect is CVE-2022-0543, a Lua sandbox escape vulnerability with a critical CVSS score of 10.0. This flaw allows attackers to execute code on susceptible Redis instances, amplifying the botnet’s reach and effectiveness.
Infection Chain and Network Penetration
According to Fortinet’s FortiGuard Labs, recent analyses of P2PInfect compromises in Google Kubernetes Engine (GKE) clusters reveal a complex infection process. It starts with an exposed Redis service and culminates in a dormant yet fully integrated bot. This underscores how a single misconfiguration can enable a persistent threat within cloud ecosystems.
The impact of such an infection is profound, as Kubernetes clusters often support essential business operations and store sensitive data. Compromised nodes pose a growing risk, particularly for organizations using GKE or similar platforms without stringent network controls.
Stealthy and Persistent Threats
P2PInfect’s infection begins when a Redis instance within a Kubernetes cluster is accessible without adequate access restrictions. Attackers employ the SLAVEOF command, converting a legitimate Redis node into a subordinate of a malicious server. This maneuver allows the installation of arbitrary modules from the attacker’s infrastructure, providing a pathway for code execution within the container.
Between November 2025 and February 2026, FortiGuard Labs observed that compromised Redis hosts established outbound connections to multiple external nodes in a peer-to-peer network. This decentralized design complicates disruption efforts, as there is no single command server to target or disable.
Mitigation Strategies and Future Outlook
The dormant phase of P2PInfect within Kubernetes environments renders it particularly challenging to detect. Traditional security measures often identify noisy activities, but a quietly enrolled bot with minimal outbound communication can evade detection for extended periods.
FortiGuard Labs advises against exposing Redis instances directly to the internet and recommends enforcing strict network policies within Kubernetes clusters to limit internal communication. Regular audits for unauthorized connections and the deployment of runtime security tools to detect abnormal container behaviors are crucial.
Keeping Redis installations fully updated and restricting the replication feature in production environments can significantly reduce the attack surface utilized by P2PInfect. This proactive approach is essential for safeguarding cloud infrastructures against evolving threats.
