Loading threats
Identifies a full Redis exploitation sequence where the attacker performs configuration introspection, modifies persistence parameters (CONFIG SET dir, CONFIG SET dbfilename), optionally disables write protections (stop-writes-on-bgsave-error), flushes existing data, implants a cron-formatted payload (base64 or Python dropper variant), and triggers SAVE to write the malicious cron file to disk. This tightly coupled chain reflects automated exploitation of exposed Redis services to achieve host-level persistence via cron injection. The behavior indicates deliberate filesystem redirection and scheduled command execution establishment, commonly observed in botnet propagation and cryptomining campaigns targeting unauthenticated Redis instances.
| IP Address | Risk | Events | Sessions | Country | ASN | Last Seen |
|---|---|---|---|---|---|---|
| 113.214.18.234 | 100% | 1,087 | 548 | 🇨🇳 CN | AS24139 | 2026-03-21 |
| 222.79.104.148 | 99% | 158 | 156 | 🇨🇳 CN | AS133774 | 2026-03-21 |