A sophisticated cryptojacking campaign has emerged, exploiting misconfigured Redis servers across multiple continents to deploy cryptocurrency miners while systematically dismantling security defenses.
The threat actor behind this operation, designated TA-NATALSTATUS, has been active since 2020 but has significantly escalated their activities throughout 2025, targeting exposed Redis instances with alarming success rates across major economies.
The campaign demonstrates unprecedented scale and technical sophistication, with infection rates reaching alarming levels across affected regions.
In Finland, 41% of Redis servers have been compromised, while Russia shows 39% infection rates. Germany faces a 33% compromise rate, with the United Kingdom at 27%, France at 23%, and the United States reporting 17% of Redis servers affected.
.webp "New Cryptojacking Attack Exploits Redis Servers to Install Miners and Disable Defenses 3")
The geographic distribution spans from Asia-Pacific regions including China, which hosts over 140,000 exposed Redis instances, to European and North American infrastructure.
| Country | Total Redis Instances | Unauthenticated (No Auth) | Percent Unauthenticated |
|---|---|---|---|
| China | 140,170 | 12,030 | 8.58% |
| United States | 50,160 | 8,806 | 17.56% |
| Germany | 20,400 | 6,854 | 33.70% |
| Hong Kong | 12,760 | 831 | 6.51% |
| Singapore | 11,710 | 2,126 | 18.16% |
| India | 7,456 | 2,206 | 29.60% |
| Netherlands | 7,249 | 1,310 | 18.07% |
| Russia | 7,055 | 2,805 | 39.77% |
| South Korea | 5,950 | 1,820 | 30.50% |
| Japan | 5,202 | 734 | 14.11% |
| France | 5,152 | 1,196 | 23.22% |
| United Kingdom | 4,015 | 1,086 | 27.06% |
| Brazil | 3,878 | 882 | 22.74% |
| Finland | 3,034 | 1,266 | 41.73% |
| Canada | 2,825 | 527 | 18.65% |
| Vietnam | 2,484 | 871 | 35.06% |
| Indonesia | 2,394 | 588 | 24.57% |
| Australia | 2,227 | 357 | 16.02% |
| Ireland | 2,131 | 300 | 14.07% |
CloudSEK analysts identified this advanced persistent threat through their BeVigil platform monitoring, revealing that TA-NATALSTATUS has evolved from a simple cryptojacking operation into a comprehensive rootkit-style attack framework.
The threat actors have systematically upgraded their stealth capabilities, incorporating process hijacking, command obfuscation, and timestomping techniques that transform compromised servers into long-term mining assets while remaining virtually undetectable to standard monitoring tools.
The attack methodology exploits a fundamental security weakness known as the “Root by Inheritance” technique, where Redis servers running with elevated privileges become immediate targets for privilege escalation.
Rather than exploiting traditional vulnerabilities, the attackers leverage legitimate Redis operations to achieve persistent access and control.
Advanced Persistence and Evasion Mechanisms*
The malware’s persistence strategy represents a masterclass in system manipulation and defensive evasion. TA-NATALSTATUS employs a multi-layered approach that begins with binary hijacking, where critical system utilities are systematically replaced with malicious wrappers.
The attackers rename legitimate binaries like ps and top to ps.original and top.original, then install custom scripts that execute the original commands while filtering out evidence of their mining processes.
The attack sequence involves sophisticated Redis manipulation through a series of CONFIG SET commands. Attackers redirect Redis database output to /var/spool/cron/root and inject malicious cron jobs that trigger automatic payload downloads.
The technique exploits Redis’s ability to write arbitrary files when running with root privileges, effectively turning the database service into a delivery mechanism for persistent malware installation.
To ensure long-term persistence, the malware implements immutable file protection using the chattr +i command, making core malware components undeletable even by root users.
This technique, combined with SSH backdoor installation using the distinctive key comment “uc1”, creates multiple redundant access paths that survive system restarts and basic cleanup attempts.
The comprehensive approach transforms infected systems into resilient mining platforms that actively defend against both competing malware and administrator remediation efforts.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
