Cybersecurity researchers pay attention to Linux’s new crypto, which focuses on publicly available Redis servers.
Malicious activity has been named Redisraider from Datadog Labs Security.
“Redisraider aggressively scans randomized parts of IPv4 space and uses legitimate Redis configuration commands to perform malicious jobs – Note.
The ultimate goal of the company is to give up the main useful load based on Go, which is responsible for the Xmrig miner’s unleashing on the compromised systems.
The activity entails the use of the scanner to determine the publicly available Redis servers and then issue information about information to determine whether the instances work on Linux. If this is the case, the scan algorithm continues to abuse the Setis command on the Cron’s assignment.
Then the malicious software uses the CONFIG team to change the Redis working directory to “/etc/cron.d” and write to AAA Database file Named “Apache” so that it periodically selected the planner Cron and launches the script of the Base64 shell, which subsequently loads binary redisraider from the remote server.
The useful load is essentially a dropper for the custom version of the Xmrig, as well as distributes malicious software to other instances, effectively expanding its reach and scale.
“In addition to the crystores on the server side, the Redisraider infrastructure has also posted a web mononero minero, which allows a multifaceted revenue strategy,” the researchers said.
“The company includes subtle measures to combat force, such as short key settings (TTL) and changes in the database to minimize detection and interfere with the analysis after the incident.”
The disclosure of information occurs when Guardz revealed details of the target company that exploits the outdated authentication protocols in Microsoft Entra ID on accounting. Activities observed between March 18 and April 7, 2025 were discovered Bav2ropc (Short for “Basic Authentication 2 – Owner of Resource Owner”) to bypass the defense, such as multifactorial authentication (Foreign Ministry) and conditional access.
“Tracking and investigations have shown that the systematic attempt to operate that used the inherent Bav2Ropc design restrictions that preceded modern security architecture,” Eli Shlomo, Head of the Security Study in Guardz, – Note. “The actors of the threat of this company showed a deep understanding of identity systems.”
The attacks are said to have emerged mainly from Eastern Europe and Asia-Pacific, first of all focusing on administrator credentials using the final authentication points.
“While regular users received the bulk of authentication attempts (50 214), administrator accounts and general mailboxes were sent to a specific scheme, and the administrator’s accounting received 9 847 attempts for 432 IPS for 8 hours, which improves an average of 22.79 attempts at IP and speed of 1.230.87 attempts.
“This indicates a highly automated and concentrated attack company, specially designed for compromise privileged accounts, while maintaining a broader surface of the attack on ordinary users.”
This is not the first time the heritage protocols were abused for malicious events. In 2021 Microsoft start A large -scale e -mail company (BEC), which used Bav2ropc and Imap/Pop3 to bypass MFA MFA and Exfiltrate data by email.
To mitigate the risks caused by such attacks, it is recommended to block authentication through conditional access policies, disable Bav2ropc and exclude SMTP Auth in exchange for the Internet if not used.
