Redis Full Cron Persistence Exploitation Chain

Identifies a complete Redis exploitation workflow where an attacker performs configuration introspection, modifies snapshot directory and filename parameters (CONFIG SET dir, CONFIG SET dbfilename), targets system cron directories (e.g., /etc/cron.d, /etc, crontabs), implants scheduled execution payloads (HTTP pipe-to-shell, wget, root cron variants, or obfuscated droppers), and triggers SAVE to write the malicious cron file to disk. This tightly coupled sequence reflects automated host-level persistence establishment via cron injection through misconfigured or unauthenticated Redis services. The behavior captures filesystem redirection, scheduled execution staging, and persistence activation in a single deterministic chain, strongly associated with botnet propagation and cryptomining campaigns.

Observed IPs

Avg Confidence

94%

Severity

critical

Top IPs by event countREDIS

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
182.40.103.253	100%	1,118	165	🇨🇳 CN	AS136195	2026-03-05
14.103.220.97	100%	693	133	🇨🇳 CN	AS4811	2026-03-05
94.74.84.246	98%	634	83	🇸🇬 SG	AS136907	2026-02-14
14.103.198.15	100%	598	83	🇨🇳 CN	AS4811	2026-03-04
218.78.131.154	100%	592	203	🇨🇳 CN	AS4812	2026-03-05
125.67.236.54	99%	435	142	🇨🇳 CN	AS4134	2026-03-04
111.228.61.51	95%	423	29	🇨🇳 CN	AS141679	2026-02-03
182.92.181.218	100%	413	88	🇨🇳 CN	AS37963	2026-03-02
120.48.43.118	98%	317	99	🇨🇳 CN	AS38365	2026-03-04
101.201.124.141	98%	279	43	🇨🇳 CN	AS37963	2026-03-02
117.50.47.100	94%	261	50	🇨🇳 CN	AS4808	2026-03-04
101.201.71.213	99%	243	40	🇨🇳 CN	AS37963	2026-02-28
180.76.52.82	91%	233	81	🇨🇳 CN	AS38365	2026-03-05
39.99.250.21	99%	231	51	🇨🇳 CN	AS37963	2026-02-28
121.196.225.181	98%	215	48	🇨🇳 CN	AS37963	2026-03-04
8.130.138.41	97%	200	40	🇨🇳 CN	AS37963	2026-03-05
47.120.79.252	99%	188	46	🇨🇳 CN	AS37963	2026-03-04
47.117.110.149	98%	177	31	🇨🇳 CN	AS37963	2026-03-05
47.98.205.94	95%	176	45	🇨🇳 CN	AS37963	2026-03-04
47.92.97.77	98%	160	40	🇨🇳 CN	AS37963	2026-03-05