Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

May 21, 2026, 4:50 p.m.

Description

An investigation identified persistent P2Pinfect botnet presence within Google Kubernetes Engine clusters at multiple organizations, with one compromise lasting six months. The intrusions originated from exposed Redis instances that provided initial access. The botnet utilizes a peer-to-peer architecture for resilience against takedowns and operates as a botnet-for-hire platform. While no second-stage payloads were executed in observed cases, the malware has been linked to ransomware and cryptocurrency mining deployment. A new deployment script was discovered, and evidence suggests P2Pinfect has expanded exploitation techniques to include CVE-2025-11953 (Metro4Shell) targeting React vulnerabilities. Possible incorporation of CVE-2025-49844 (RediShell) is speculated. The campaign demonstrates how single misconfigurations enable long-term compromise in cloud environments.

External References

https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise
https://otx.alienvault.com/pulse/6a0e3753562a6e67c9d9aac4
Tags
ransomware
botnet
kubernetes
cryptomining
p2pinfect
CVE-2025-49844
CVE-2025-11953
2026-05-20
CVE-2022-0543
metro4shell
peer-to-peer
redis exploitation

Date

  • Created: May 20, 2026, 10:36 p.m.
  • Published: May 20, 2026, 10:36 p.m.
  • Modified: May 21, 2026, 4:50 p.m.

Indicators

  • a505de0af54408dcde2f869608398a409908543a43fad15397a342b2200f8a52
  • 2fcaf9a4f6d549a86f4fdf6a6b01e044c29fce093a777b114d73dea8adf25538
  • d8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6
  • 20e7ca6945964ef5072639854f5a2f58a574196de7532872c79d66e313f9e075
  • 976e3772ffea7499f7c119e956a5a71806f8f054caf174978fa888b254dd22a0
  • 8c95bb248000d706a65835b919ec9f6b7e10226d6925c0a8475a2c2cf4eb8efb
  • e0d37a0c6562cde36ab3c10b56041327e25b66754ad0be12993b9675b63ece67
  • a8d79f40ddb79de569d778f1c0b832f9cc266b32274b702cff4ba2b8a0dd1549
  • b1097ea4fcd2a51d5db7ad33922e76eeee374432cd65e452563cc1e1262752e0
  • 45aeada2dc3b0905ee1ab952869094828a51a2d3ed02d6e1c8c7d574d6bf439b
  • 11370d218430a0bdb2b584eb4181c21bd2abe9958ba639c017caf04ec019d117
  • 329f0a2c0727b122b84d1719a68066cbd1fabf2854b2a785869021aa2bfdd5cf
  • 1ab5deb020fdfd22cdbb5264ce0817e1b92b09d660dd5a92baab8835c81c5c84
  • 28f641a9ea52542ed8cedcd070e825944b4650477d1a79cb0ab2acea97733e9b
  • cf7a5bc77b17f078518f5481413c7aa298746d3be49a840bdbcb6d40d1fe758d
  • dfdcec031b06ff21277b48596d6dda701836ceab922ba641972de546dc6af574
  • d1886b189474b02467ed2845df0938cec9785e99c3d4b04e0b7de3cafbee4182
  • c5e5e41f88f91e4e2ad524fae156bb74efe86e97ce84701b3e7f3a252fdb82ab
  • 77d764ced0a7bcac8814aaa2a08a1d11762f3c702eb06b77b6388d3f279951a8
  • 815d907cb772757383fee0fb7466fb9cc70ffe5400a14b1549ecaf6b1d649842
  • 03acb11799183f3b25b2ffe7227e0e010016eae81b23a663f32b5b0929d0598d
  • 53fb9390d471f30b79297095159247d23c0af868fd02c43afcd797bc83816678
  • bae21a944b639ed2c7b70964288131274916a1d52ac906725b39a3e15d243cf0
  • e320c0498781c75429b00b274e3b71b5197a6901e79ddd5f00d5bdff68636a4a
  • b67cd5f540094b7a2dea1ba92f3ac7a3c0ecfe67975ed947a1203cefe41f3a42
Download all indicators here!

Attack Patterns

  • P2Pinfect

Linked vulnerabilities

CVE-2022-0543

None
Published:

CVE-2025-11953

9.8
    react_native
Published: November 3, 2025

CVE-2025-49844

9.9
    Redis
  • Redis
Published: October 3, 2025