Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities

Cybersecurity researchers have identified a new Linux cryptojacking campaign targeting publicly accessible Redis servers, named RedisRaider by Datadog Security Labs. This malicious activity involves aggressive scanning of randomized portions of the IPv4 address space, employing legitimate Redis configuration commands to execute malicious cron jobs on vulnerable systems.

The primary objective of the RedisRaider campaign is to deploy a Go-based payload that facilitates the operation of an XMRig miner on compromised systems. Researchers Matt Muir and Frederic Baguelin explained how the campaign utilizes a custom scanner to detect publicly accessible Redis servers. Upon identification, the scanner issues an INFO command to verify whether the instances are operating on a Linux host. If confirmed, the algorithm proceeds to exploit the Redis SET command for injecting a cron job.

Subsequently, the malware employs the CONFIG command to modify the Redis working directory to “/etc/cron.d” and writes a database file named “apache” to this location. This file is periodically executed by the cron scheduler and runs a Base64-encoded shell script that downloads the RedisRaider binary from a remote server. The payload not only acts as a dropper for a tailored version of XMRig but also propagates the malware to other Redis instances, significantly enhancing its reach.

In addition to server-side cryptojacking, the RedisRaider infrastructure supports a web-based Monero miner, reflecting a multifaceted revenue generation strategy. Researchers noted that the campaign incorporates sophisticated anti-forensics measures, such as short-key time-to-live (TTL) settings and changes to database configurations, designed to minimize detection and obstruct post-incident analysis.

This disclosure coincides with Guardz revealing a targeted campaign that exploits legacy authentication protocols in Microsoft Entra ID to brute-force accounts. Between March 18 and April 7, 2025, this activity leveraged BAV2ROPC, enabling attackers to bypass defenses like multi-factor authentication (MFA) and Conditional Access. Elli Shlomo, head of security research at Guardz, highlighted that systematic exploitation attempts utilized BAV2ROPC’s design vulnerabilities which predate contemporary security measures.

The attacks primarily stem from Eastern Europe and the Asia-Pacific regions, zeroing in on admin accounts via legacy authentication endpoints. Although regular users experienced the majority of authentication attempts, admin accounts and shared mailboxes were targeted with precision, indicating a highly automated and concentrated attack methodology crafted to compromise privileged accounts while maintaining an extensive attack surface against standard users.

This incident is not an isolated occurrence; legacy protocols have been previously exploited for nefarious activities. In 2021, Microsoft disclosed a substantial business email compromise (BEC) campaign that utilized both BAV2ROPC and IMAP/POP3 to circumvent MFA and exfiltrate sensitive email data.

To mitigate risks from such attacks, organizations are advised to block legacy authentication through Conditional Access policies, disable BAV2ROPC, and deactivate SMTP AUTH in Exchange Online if not in use.