Go to listing page

HeadCrab Botnet Targets 1,200 Redis Servers in a New Elusive Campaign

HeadCrab Botnet Targets 1,200 Redis Servers in a New Elusive Campaign
A new elusive and sophisticated threat infiltrating Redis servers worldwide has been found to be active since September 2021. Attributed to the HeadCrab threat actor group, the campaign utilizes custom-made malware with the same name.

What’s happening?

Aqua Security's Team Nautilus researchers found that the HeadCrab botnet has, so far, taken control of at least 1,200 Redis servers.
  • The attackers have gone to great lengths to ensure that the malware bypasses the volume-based scans on the system’s memory. 
  • Additionally, logs are deleted using the Redis module framework and API.
  • As a part of the evasion strategy, the attackers use legitimate IP addresses of other infected servers for communication and to reduce the likelihood of being blacklisted by security solutions.

More about HeadCrab botnet

Primarily based on Redis processes, the HeadCrab botnet boosts numerous options and capabilities.
  • Upon initial execution, the botnet utilizes the ‘RedisModule_OnLoad’ function that is triggered when the Redis server loads the module.
  • In the later stage, it creates new Redis commands to enable its operators to perform multiple malicious activities such as replacing default commands with malicious functions to evade detection, updating the magic numbers used in encryption, and listening to an incoming connection on a port.

Redis servers - a hotbed of criminals

As Redis servers have become popular, the frequency of attacks has increased.
  • In December, a new Go-based malware called Redigo was discovered targeting Redis servers. The malware used a Redis vulnerability to propagate across networks.
  • Furthermore, a threat actor had hacked around 39,000 of these unauthenticated servers to install a cryptocurrency miner. A majority of these servers were located in China, followed by the U.S., France, Germany, the Netherlands, Ireland, Singapore, and Hong Kong.


Organizations with Redis implementations are advised to either update to the latest version or harden the network environments that are aligned with security best practices. Leverage services of threat intelligence platforms to monitor and detect suspicious activities by cybercriminals groups such as HeadCrab in real-time.
Cyware Publisher