How Redigo Malware Exploits Redis CVE-2022-0543 to Plant Stealthy Backdoors

Researchers have identified a new Go‑based malware called Redigo that specifically targets Redis servers vulnerable to CVE‑2022‑0543, implanting a stealthy backdoor that enables arbitrary command execution.

CVE‑2022‑0543 is a critical vulnerability in the Redis (Remote Dictionary Server) software discovered and patched in February 2022. Months after the fix, attackers continue to exploit unpatched instances, and the malware named Redigo reflects both its target and the Go language used to build it.

AquaSec reported that a Redis honeypot vulnerable to CVE‑2022‑0543 captured this previously undetected malware, which was not flagged by VirusTotal.

Redigo attack flow

INFO – checks the Redis version to confirm the presence of CVE‑2022‑0543.

SLAVEOF – creates a replica of the attacker's server.

REPLCONF – configures the connection from the attacker to the newly created replica.

PSYNC – starts the replication stream and downloads the shared library "exp_lin.so" from the server’s disk.

MODULE LOAD – loads the downloaded module, which can execute arbitrary commands and exploit CVE‑2022‑0543.

SLAVEOF NO ONE – promotes the vulnerable Redis instance to a master server.

Using the backdoor’s command‑execution capability, the attacker gathers hardware information from the host and then downloads the Redigo binary (redis‑1.2‑SNAPSHOT). After privilege escalation, the malware is executed.

The attacker mimics normal Redis traffic on port 6379 to evade network analysis tools and attempts to hide command‑and‑control communications.

Because the AquaSec honeypot limited the attack duration, analysts could not determine the full post‑compromise behavior of Redigo.

AquaSec believes Redigo’s ultimate goals are likely to enlist the compromised server in a botnet for distributed denial‑of‑service (DDoS) attacks, run cryptocurrency miners, or exfiltrate data stored in Redis, which functions as a database.