Cybersecurity researchers have identified a new cryptojacking campaign called RedisRaider, which targets exposed Redis servers running Linux.
According to researchers Matt Muir and Frederic Baguelin from Datadog security Labs, RedisRaider scans random IP addresses and uses valid Redis commands to set up harmful corn jobs on systems that are vulnerable. This allows attackers to run unauthorized tasks and secretly mine cryptocurrency.
The main aim of the RedisRaider campaign is to install a Go-based program that launches an XMRig cryptocurrency miner on infected systems. The attackers start by using a customer scanner to find Redis servers that are open to the internet. They then send an INFO command to check if the server is running in Linux. If it is, they exploit Redis’s SET command to create a scheduled task (corn job).
Next, they use the CONFIG command to change the Redis directory to “/etc/corn.d” and save a fake database called “apache” there. This tricks the system’s task scheduler regularly. The script written in Base64 format downloads another malicious file called RedisRaider from an external server.
This downloaded file acts as a tool to install a customer version of XMRig, a program used for mining cryptocurrency. It also spreads the malware to other Redis servers, helping it infect more systems.
Besides mining cryptocurrency on infected servers, the attackers also ran a web-based Monero miner. This allowed them to earn money through multiple methods.
The attackers used sneaky methods to avoid being noticed, like setting short expiration times for Redis keys and changing database settings. These tricks made it harder for security teams to detect the attacker or analyze it afterward.
The warning comes as Guardz uncovered a separate attack campaign that targeted Microsoft Entra ID by taking advantage of outdated login methods. From March 18 to April 7, 2025, hackers used a method called BAV2ROPC (Basic Authentication Version 2- Resource Owner Password Credential) to guess user passwords and gain access to accounts. This approach helped them bypass security measures like multi-factor authentication (MFA) and Conditional Access Policies.
Elli Shlomo, Guardz’s head of security research, explained that the attackers clearly understood how identity systems work and were able to exploit weaknesses in older security setups.
The attackers mostly came from Eastern Europe and the Asia-Pacific regions, focusing heavily on administrator accounts by using old login systems.
Guardz reported that while regular user accounts were hit the most- with over 50,000 login attempts- admin accounts and shared mailboxes were attacked in a more targeted way. In just 8 hours, admin accounts saw nearly 10,000 login attempts coming from 432 different IP addresses. That’s about 23 attempts per IP, over 1,200 attempts every hour.
This shows that the attackers used a fast, automated method to try and break into high-level accounts, all while continuing to attack regular users to keep their chances of success high.
This isn’t the first time older login methods have been misused for Cyberattacks. Back in 2021, Microsoft revealed a widespread email hacking campaign that used BAV2ROPC and IMAP/POP3 to get around multi-factor authentication and steal email data.
To protect against these types of attacks, experts recommend blocking legacy authentication using Conditional Access, turning off BAV2ROPC, and turning off SMTP AUTH in Exchange Online if not in use.
