End-to-end exploitation behavior targeting an exposed Docker Remote API. The actor validates service availability, fingerprints the Docker daemon, creates an attacker-controlled container, attaches to its execution stream, monitors container lifecycle events, and initiates execution. This sequence indicates full remote control over container creation and execution on the host and is commonly used to deploy payloads, establish persistence, or perform host-level abuse via privileged containers or mounted filesystems.

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.