Affected Platforms: Linux, Windows, containers, Kubernetes
Threat Type: Worm, botnet
Impact: Data Encrypted for Impact, Compute Hijacking
Severity Level: Moderate (early botnet exposure, long periods of dormancy)

FortiGuard Labs recently identified persistent P2Pinfect presences within Google Kubernetes Engine (GKE) clusters at several client companies, with one compromise spanning six months. The compromises originated from exposed Redis instances, which allowed the botnet to gain an initial foothold. The botnet's beaconing was repeatedly flagged in FortiCNAPP's Composite Alerts, underscoring how a single misconfiguration can enable long-term compromise in cloud environments. The IOCs observed across our customers also had significant overlap.

While our telemetry indicated that no second-stage payload was ever executed, this botnet has been observed in the wild to remain dormant for extended periods before delivering ransomware and crypto miners. Some variants of the P2Pinfect clients also have usermode rootkit capabilities.

We identified a new deployment script (deployer.sh 80676a539765a9e117f20b6b99887eca) used to install new P2Pinfect clients. We also observed that some infected Redis nodes contacted P2Pinfect peers that were deployed by exploiting CVE-2025-11953 (aka Metro4Shell, a React vulnerability) in November 2025. This highlights an expansion of P2Pinfect’s exploitation targets, going beyond Redis to also include React. We also speculate with low confidence that P2Pinfect botnet might have incorporated CVE-2025-49844 (aka RediShell) in their repertoire. RediShell has the same sandbox escape vulnerability as CVE-2022-0543, a confirmed vector of P2Pinfect, and the infected hosts were vulnerable to it.

Four of the exposed Redis nodes were also observed to have Crytominers, which was attributed to a separate parallel React2Shell exploitation campaign active in December of 2025.

P2Pinfect is a self-propagating malware strain that combines worm-like spreading capabilities with a decentralized botnet architecture. This peer-to-peer (P2P) architecture makes it highly resilient to sinkholing and infrastructure takedowns. Sinkholing is a technique in which malicious botnet traffic is redirected to a controlled environment, or sinkhole, to isolate, disrupt, and neutralize a botnet. This is primarily done by configuring DNS to return a sinkhole IP instead of the attackers' C2. The botnet is written in Rust and was first discovered in mid-2023. 

P2Pinfect primarily spreads by exploiting Redis vulnerabilities and also includes a basic SSH password sprayer. There is some evidence that P2Pinfect operates as a “botnet for hire” platform. The operators focus on scale: maximizing enrollment and maintaining persistent access across as many hosts as possible. Customers purchase access and then deploy their own second-stage payloads. This model is reflected in our telemetry, which shows continuous botnet peer communication without any second-stage payload execution. Extended periods of dormancy are a documented behavior of the P2Pinfect botnet, observed in prior reporting and consistent with operating a large-scale botnet for multiple independent customers. 

P2Pinfect Cluster Analysis

We identified and mapped the botnet peer nodes that were contacted by the compromised hosts by correlating anomalous outbound network connections from infected servers across relevant FortiCNAPP Composite Alerts over the campaign period.  

Analysis of the cluster revealed a consistent operational pattern across the botnet infrastructure. Multiple P2Pinfect variants were identified that are downloaded from and communicate with peer nodes. A deployment shell script was also identified that communicates with multiple peers. Several peer nodes were independently flagged for SSH and exploit attacks.  

P2PInfect peers’ communication occurs over non-standard ports. Payload delivery uses a uniform URI structure across peers (/Linux, /Windows, /IP) and is consistently used to distribute binaries. All P2PInfect samples recovered from this cluster are written in Rust and are generally packed via UPX.

Figure 2: P2Pinfect cluster

Deployment Script 

Script name: deplyoer.sh 

MD5: 80676a539765a9e117f20b6b99887eca 

This shell-based dropper retrieves a P2Pinfect client binary from http://8[.]210[.]50[.]65:60126/linux and writes it to /top/RarF51vUe0 (MD5: 5d1ca537c4bedebf2f4d276d4199ea95). It then executes the binary with a large base64-encoded argument blob. This behavior is consistent with P2Pinfect's documented behavior.

The client binary is a UPX-packed Rust executable targeting Linux x86_64. The base64 argument blob passed to the binary at execution is processed through a ChaCha20 stream cipher before use. However, the encryption key and nonce are both composed entirely of zero bytes, rendering the encryption effectively decorative and serving as an obfuscation layer. Decryption of the byte payload reveals a structured nodelist consisting of a 2-byte header followed by IP:Port records. The records are public IP addresses that constitute the P2P bootstrap peer list used by the malware to join the botnet mesh on first execution. 

We also decoded another argument blob used by one of the P2Pinfect peers that the infected Redis servers contacted, and we observed a similar encryption methodology and nodelist records.

Figure 4: P2Pinfect bootstrap nodelist

The Metro4Shell Connection 

From November 2025 through February 2026, the compromised Redis hosts were observed making outbound P2P mesh connections to numerous peers as part of normal P2Pinfect botnet activity. Six of these peers (8[.]218[.][.]225[.]42, 8[.]210[.]178[.]40, 47[.]86[.]5[.]176, 178[.]62[.]63[.]125, 47[.]237[.]140[.]12, 47[.]83[.]124[.]121) were identified as sharing an identical P2Pinfect Linux client (MD5: a1a35afebb585917675534de3d610c93). Another peer, 47[.]86[.]33[.]195, had a Windows P2Pinfect client (MD5: 08ad2c2877edda9a050b81d011c1c003). These clients were further linked to active exploitation of CVE-2025-11953, a critical unauthenticated remote code execution vulnerability in the React Native Metro development server, publicly designated “Metro4Shell”. 

VulnCheck reported active exploitation of this vulnerability on their honeypot between December 2025 and January 2026. We determined that the payloads delivered through this exploitation were UPX-packed P2Pinfect client binaries for Windows and Linux. These clients overlap with the binaries (a1a35afebb585917675534de3d610c93, 08ad2c2877edda9a050b81d011c1c003) we discovered in our datasets. Additionally, the peer 47[.]86[.]33[.]195 that our infected Redis server communicated with is identical to the payload-hosting infrastructure reported in the VulnCheck report. 

The overlap of these peers and binaries in our telemetry suggests that the P2Pinfect operators had begun using Metro4Shell as an initial access vector to recruit new botnet nodes as of November 16, 2025, the same month this vulnerability was reported and a week after public POCs became available.

The Speculated RediShell Vector

Figure 5: RediShell patch adoption and incident timeline

RediShell (CVE-2025-49844) is a critical RCE that allows an authenticated user to bypass the Lua sandbox by sending a maliciously crafted script to manipulate the garbage collector, thereby granting native code execution.

Our telemetry indicates that the hosts infected with P2Pinfect were vulnerable to RediShell until at least 29 November 2025. The other confirmed Redis exploit that P2Pinfect uses is CVE-2022-0543, another Redis Lua sandbox escape RCE.

On the other hand, P2Pinfect has been observed in the wild abusing the SLAVEOF command to turn discovered open nodes into followers of the attacker’s server, thereby gaining code execution. This could very well be the case for our exposed Redis servers. 

Thus, RediShell is assessed with low confidence as a plausible initial access vector for P2Pinfect, based on two key observations:

1. RediShell’s similarity to P2Pinfect’s established exploitation techniques. 
2. The timing of the initial P2Pinfect incidents on misconfigured, unpatched, and internet-exposed Redis hosts is consistent with opportunistic exploitation of a recently disclosed vulnerability prior to widespread patching.

Conclusion 

P2Pinfect is a resilient botnet that uses a peer-to-peer mesh of compromised computers to eliminate single points of failure, making it significantly harder to sinkhole and take down. The malware is written in Rust and targets multiple platforms, including Linux, Windows, and routers. The operators of P2Pinfect remain focused on maximizing enrollment and have expanded their initial access vectors to include Metro4Shell and, speculatively, RediShell.

The timeline of their weaponization of recently disclosed vulnerabilities suggests active development and opportunistic exploitation. The malware remains dormant for extended periods and has been observed hosting and deploying crypto miners and ransomware in the wild. The timeline of this campaign highlights how a single misconfiguration can enable long-term compromise in cloud environments.

Fortinet Protections 

FortiCNAPP helps identify misconfigured cloud environments and runtime threats. It detects compromised Redis nodes making suspicious or anomalous outbound connections. FortiCNAPP also correlates risk across posture, identity, and behavior to help prioritize critical vulnerabilities before they are exploited.

Figure 6: FortiCNAPP Composite Alert

Figure 7: FortiCNAPP polygraph for the Composite Alert

Additional endpoint and network-layer protections are available through Fortinet products including FortiGate, FortiClient, and FortiEDR, all of which utilize the FortiGuard AntiVirus engine for malware detection and prevention. Customers with these products and up-to-date protections are safeguarded against the threats described in this report through the following antivirus signatures:

• Linux/Agent.XM!tr
• Linux/Agent.XL!tr
• W64/GenKryptik.HJPA!tr
• Riskware/Miner

RiskWatch, a new capability within the FortiCNAPP Agent, continuously monitors running cloud workloads to pinpoint exactly which vulnerabilities attackers can exploit. It detects when your systems execute known-vulnerable code and provides precise evidence of exposure, along with clear remediation steps. 

The FortiGuard IP Reputation and Anti-Botnet Security Service, available on FortiGate and FortiWeb, blocks known malicious source IPs associated with mining operations, C2 activity, and dropper infrastructure. It aggregates data from Fortinet's global threat intelligence network, including FortiSandbox, honeypots, CERTs, and trusted partners.

Organizations are also encouraged to take advantage of Fortinet’s free NSE training module, FCF – Fortinet Certified Fundamentals, which helps users recognize and defend against phishing and other social engineering attacks. 

If you believe this or any other cybersecurity threat has affected your organization, please contact the FortiGuard Incident Response Team for immediate assistance. 

IOCs 

P2Pinfect botnet peers

P2Pinfect argument nodelist

React2Shell exploitation miner payloads