New Cryptojacking Attack Targets Redis Servers to Deploy Miners and Bypass Security Measures

A sophisticated cryptojacking campaign has emerged, exploiting misconfigured Redis servers across multiple continents to deploy cryptocurrency miners while systematically dismantling security defences. The threat actor behind this operation, designated TA-NATALSTATUS, has been active since 2020 but has significantly escalated their activities throughout 2025, targeting exposed Redis instances with alarming success rates across major economies. The campaign demonstrates unprecedented scale and technical sophistication, with infection rates reaching concerning levels across affected regions. In Finland, 41% of Redis servers have been compromised, while Russia shows 39% infection rates. Germany faces a 33% compromise rate, with the United Kingdom at 27%, France at 23%, and the United States reporting 17% of Redis servers affected. The geographic distribution spans from Asia-Pacific regions, including China, which hosts over 140,000 exposed Redis instances, to European and North American infrastructure.

CloudSEK analysts identified this advanced persistent threat through their BeVigil platform monitoring, revealing that TA-NATALSTATUS has evolved from a simple cryptojacking operation into a comprehensive rootkit-style attack framework. The threat actors have systematically upgraded their stealth capabilities, incorporating process hijacking, command obfuscation, and timestomping techniques that transform compromised servers into long-term mining assets while remaining virtually undetectable to standard monitoring tools. The attack methodology exploits a fundamental security weakness known as the “Root by Inheritance” technique, where Redis servers running with elevated privileges become immediate targets for privilege escalation. Rather than exploiting traditional vulnerabilities, the attackers leverage legitimate Redis operations to achieve persistent access and control. The malware’s persistence strategy represents a masterclass in system manipulation and defensive evasion. TA-NATALSTATUS employs a multi-layered approach that begins with binary hijacking, where critical system utilities are systematically replaced with malicious wrappers. 

Categories: Cryptojacking, Cybersecurity Threats, Malware Evasion Techniques 

Tags: Cryptojacking, Redis Servers, TA-NATALSTATUS, Malware, Infection Rates, Security Defenses, Privilege Escalation, Evasion Mechanisms, Advanced Persistent Threat, Cryptocurrency Miners