RedisRaider begins by indiscriminately scanning the IPv4 space for Redis servers open on port 6379. Upon identifying a target, the malware checks the server OS and uses Redis commands to inject a base64-encoded shell script as a cron job. It writes this payload to disk by reconfiguring Redis to save its database to /etc/cron.d/apache, ensuring periodic execution by the cron scheduler. The script then downloads the main binary from a.hbweb[.]icu, executes it, and re-initiates propagation.
The main payload is a Go-based ELF binary that unpacks a bundled XMRig miner during runtime, evading static detection. RedisRaider leverages obfuscation tools like Garble, runtime unpacking routines, short key TTLs, and log-clearing to evade analysis. Additional infrastructure hosts an in-browser Monero miner.