HeadCrab: A cutting-edge malware puts global Redis servers at risk

HeadCrab is a sophisticated threat actor that infiltrates a huge number of Redis servers using cutting-edge, bespoke malware. These malwares escape detection by both agentless and conventional anti-virus programmes to mine cryptocurrency via Redis servers. The HeadCrab malware has taken over at least 1,200 systems since September 2022.

As a database, cache, or message broker, Redis is an open-source in-memory data structure store. Redis servers are designed to operate on a secure, closed network rather than being exposed to the internet and by default, do not have authentication enabled. Due to this, internet-accessible default Redis servers are susceptible to intrusion and command execution.

Utilizing the SLAVEOF command, which turns one server into a slave server for another Redis server under the attacker’s control, the HeadCrab virus was able to successfully penetrate the server. The malicious Redis module was downloaded onto the targeted machine as synchronization of the master server started with the slave server. Threat actors have loaded malicious modules onto vulnerable systems using this exploitation approach, underscoring the significance of safe setups and diligent network activity monitoring.

The RedisModule OnLoad function is used by the HeadCrab virus as an entry point, and it stores the addresses of crucial Redis API calls for further usage. The virus then uses sophisticated techniques to get around security defenses and keep the compromised system infected.

The attack’s primary effect was the theft of resources for cryptocurrency mining. The mining pools were primarily hosted on private, valid IP addresses, according to the miner configuration file that was recovered from memory. These IP addresses are either owned by clean hosts or a reputable security provider, which makes discovery and attribution more complex.

The HeadCrab virus can carry out harmful tasks, including collecting confidential data, carrying out arbitrary orders, and remaining persistent on the infected server. The hacker can also remotely use the internet or other Redis servers on the same network to propagate the virus. Whether Redis servers are running in a virtual machine or container environment, the HeadCrab virus is made to be stealthy in its attack on them.

The US, West Europe, and the Asia Pacific region appear to be the three regions where the novel threat actors compromised Redis servers the most.


  1. https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware
  2. https://www.scmagazine.com/analysis/vulnerability-management/stealthy-headcrab-malware-compromised-1200-redis-servers-worldwide
SISA’s Latest
close slider