{"id":1239,"date":"2025-05-20T11:25:00","date_gmt":"2025-05-20T08:25:00","guid":{"rendered":"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/"},"modified":"2025-05-20T11:25:00","modified_gmt":"2025-05-20T08:25:00","slug":"go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities","status":"publish","type":"post","link":"https:\/\/trustcrypt.com\/ar\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/","title":{"rendered":"Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities"},"content":{"rendered":"<p>Cybersecurity researchers have identified a new Linux cryptojacking campaign targeting publicly accessible Redis servers, named <strong>RedisRaider<\/strong> by Datadog Security Labs. This malicious activity involves aggressive scanning of randomized portions of the IPv4 address space, employing legitimate Redis configuration commands to execute malicious cron jobs on vulnerable systems.<\/p>\n<p>The primary objective of the RedisRaider campaign is to deploy a Go-based payload that facilitates the operation of an XMRig miner on compromised systems. Researchers Matt Muir and Frederic Baguelin explained how the campaign utilizes a custom scanner to detect publicly accessible Redis servers. Upon identification, the scanner issues an INFO command to verify whether the instances are operating on a Linux host. If confirmed, the algorithm proceeds to exploit the Redis SET command for injecting a cron job.<\/p>\n<p>Subsequently, the malware employs the CONFIG command to modify the Redis working directory to &#8220;\/etc\/cron.d&#8221; and writes a database file named &#8220;apache&#8221; to this location. This file is periodically executed by the cron scheduler and runs a Base64-encoded shell script that downloads the RedisRaider binary from a remote server. The payload not only acts as a dropper for a tailored version of XMRig but also propagates the malware to other Redis instances, significantly enhancing its reach.<\/p>\n<p>In addition to server-side cryptojacking, the RedisRaider infrastructure supports a web-based Monero miner, reflecting a multifaceted revenue generation strategy. Researchers noted that the campaign incorporates sophisticated anti-forensics measures, such as short-key time-to-live (TTL) settings and changes to database configurations, designed to minimize detection and obstruct post-incident analysis.<\/p>\n<p>This disclosure coincides with Guardz revealing a targeted campaign that exploits legacy authentication protocols in Microsoft Entra ID to brute-force accounts. Between March 18 and April 7, 2025, this activity leveraged BAV2ROPC, enabling attackers to bypass defenses like multi-factor authentication (MFA) and Conditional Access. Elli Shlomo, head of security research at Guardz, highlighted that systematic exploitation attempts utilized BAV2ROPC&#8217;s design vulnerabilities which predate contemporary security measures.<\/p>\n<p>The attacks primarily stem from Eastern Europe and the Asia-Pacific regions, zeroing in on admin accounts via legacy authentication endpoints. Although regular users experienced the majority of authentication attempts, admin accounts and shared mailboxes were targeted with precision, indicating a highly automated and concentrated attack methodology crafted to compromise privileged accounts while maintaining an extensive attack surface against standard users.<\/p>\n<p>This incident is not an isolated occurrence; legacy protocols have been previously exploited for nefarious activities. In 2021, Microsoft disclosed a substantial business email compromise (BEC) campaign that utilized both BAV2ROPC and IMAP\/POP3 to circumvent MFA and exfiltrate sensitive email data. <\/p>\n<p>To mitigate risks from such attacks, organizations are advised to block legacy authentication through Conditional Access policies, disable BAV2ROPC, and deactivate SMTP AUTH in Exchange Online if not in use.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have identified a new Linux cryptojacking campaign targeting publicly accessible Redis servers, named RedisRaider by Datadog Security Labs&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":1240,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[332,487,486],"class_list":["post-1239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-linux","tag-miner","tag-redis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities - Trustcrypt<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustcrypt.com\/ar\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"ar_AR\" \/>\n<meta property=\"og:locale:alternate\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities\" \/>\n<meta property=\"og:description\" content=\"Cybersecurity researchers have identified a new Linux cryptojacking campaign targeting publicly accessible Redis servers, named RedisRaider by Datadog Security Labs....\" \/>\n<meta property=\"og:url\" content=\"https:\/\/trustcrypt.com\/ar\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"Trustcrypt\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-20T08:25:00+00:00\" \/>\n<meta name=\"author\" content=\"Trustscrypt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629\" \/>\n\t<meta name=\"twitter:data1\" content=\"Trustscrypt\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631\" \/>\n\t<meta name=\"twitter:data2\" content=\"\u062f\u0642\u064a\u0642\u062a\u0627\u0646\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/\",\"url\":\"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/\",\"name\":\"Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities\",\"isPartOf\":{\"@id\":\"https:\/\/trustcrypt.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities.webp\",\"datePublished\":\"2025-05-20T08:25:00+00:00\",\"author\":{\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\"},\"inLanguage\":\"ar\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/#primaryimage\",\"url\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities.webp\",\"contentUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities.webp\",\"width\":1792,\"height\":1024,\"caption\":\"Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/trustcrypt.com\/#website\",\"url\":\"https:\/\/trustcrypt.com\/\",\"name\":\"Trustcrypt\",\"description\":\"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/trustcrypt.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ar\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\",\"name\":\"Trustscrypt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"caption\":\"Trustscrypt\"},\"sameAs\":[\"http:\/\/trustcrypt.com\"],\"url\":\"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities - Trustcrypt","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustcrypt.com\/ar\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/","og_locale":"ar_AR","og_type":"article","og_title":"[:en]Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities[:] - Trustcrypt","og_description":"Cybersecurity researchers have identified a new Linux cryptojacking campaign targeting publicly accessible Redis servers, named RedisRaider by Datadog Security Labs....","og_url":"https:\/\/trustcrypt.com\/ar\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/","og_site_name":"Trustcrypt","article_published_time":"2025-05-20T08:25:00+00:00","author":"Trustscrypt","twitter_card":"summary_large_image","twitter_misc":{"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629":"Trustscrypt","\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631":"\u062f\u0642\u064a\u0642\u062a\u0627\u0646"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/","url":"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/","name":"Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities","isPartOf":{"@id":"https:\/\/trustcrypt.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/#primaryimage"},"image":{"@id":"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities.webp","datePublished":"2025-05-20T08:25:00+00:00","author":{"@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f"},"inLanguage":"ar","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/"]}]},{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities\/#primaryimage","url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities.webp","contentUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/go-based-malware-executes-xmrig-miner-on-linux-systems-through-exploitation-of-redis-configuration-vulnerabilities.webp","width":1792,"height":1024,"caption":"Go-Based Malware Executes XMRig Miner on Linux Systems Through Exploitation of Redis Configuration Vulnerabilities"},{"@type":"WebSite","@id":"https:\/\/trustcrypt.com\/#website","url":"https:\/\/trustcrypt.com\/","name":"Trustcrypt","description":"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustcrypt.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ar"},{"@type":"Person","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f","name":"Trustscrypt","image":{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","caption":"Trustscrypt"},"sameAs":["http:\/\/trustcrypt.com"],"url":"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/"}]}},"_links":{"self":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/comments?post=1239"}],"version-history":[{"count":0,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1239\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media\/1240"}],"wp:attachment":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media?parent=1239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/categories?post=1239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/tags?post=1239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}