P2PInfect Botnet Compromises Kubernetes Clusters for Months
The discovery shows that a single misconfiguration in a cloud environment can lead to a long-term, hard-to-remove botnet infection that resists standard takedown techniques.
Reporting from 1 sources: ASCII.jp.
FortiGuard Labs has confirmed persistent P2PInfect activity within Google Kubernetes Engine clusters of multiple companies, with one compromise lasting six months. The infections originated from exposed Redis instances. Fortinet also identified a new deployment script and evidence that the botnet has expanded its attack targets beyond Redis to include React vulnerabilities.
FortiGuard Labs has confirmed that the P2PInfect botnet maintained a persistent presence inside Google Kubernetes Engine clusters of multiple customer companies. In one case the compromise lasted six months. The infections began from externally exposed Redis instances, which gave the botnet its initial foothold. Fortinet telemetry did not detect second-stage payloads, but the botnet is known to deploy ransomware or cryptominers after long periods of inactivity. A new deployment script was also found. Some infected Redis nodes communicated with peers that had exploited CVE-2025-11953, a React vulnerability, indicating the botnet has expanded its targeting beyond Redis. Fortinet also believes, with low confidence, that P2PInfect may have incorporated CVE-2025-49844 into its methods.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.
Sources
- ASCII.jp 複数企業で発見されたP2PInfectによるKubernetes侵害