Blog
/
/
April 12, 2023

P2Pinfect - New Variant Targets MIPS Devices

A new P2Pinfect variant compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture has been discovered. This demonstrates increased targeting of routers, Internet of Things (IoT) and other embedded devices by those behind P2Pinfect.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
The Darktrace Community
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Apr 2023

Introduction: P2PInfect

Since July 2023, researchers at Cado Security Labs (now part of Darktrace) have been monitoring and reporting on the rapid growth of a cross-platform botnet, named “P2Pinfect”. As the name suggests, the malware - written in Rust - acts as a botnet agent, connecting infected hosts in a peer-to-peer topology. In early samples, the malware exploited Redis for initial access - a relatively common technique in cloud environments. 

There are a number of methods for exploiting Redis servers, several of which appear to be utilized by P2Pinfect. These include exploitation of CVE-2022-0543[1] - a sandbox escape vulnerability in the LUA scripting language (reported by Unit42 [2]), and, as reported previously by Cado Security Labs, an unauthorized replication attack resulting in the loading of a malicious Redis module.  

Researchers have since encountered a new variant of the malware, specifically targeting embedded devices based on 32-bit MIPS processors, and attempting to brute force SSH access to these devices. It’s highly likely that by targeting MIPS, the P2Pinfect developers intend to infect routers and IoT devices with the malware. Use of MIPS processors is common for embedded devices and the architecture has been previously targeted by botnet malware, including high-profile families like Mirai [3], and its variants/derivatives.

Not only is this an interesting development in that it demonstrates a widening of scope for the developers behind P2Pinfect (more supported processor architectures equals more nodes in the botnet itself), but the MIPS32 sample includes some notable defense evasion techniques. 

This, combined with the malware’s utilization of Rust (aiding cross-platform development) and rapid growth of the botnet itself, reinforces previous suggestions that this campaign is being conducted by a sophisticated threat actor.

Initial access

Cado researchers encountered the MIPS variant of P2Pinfect after triaging files uploaded via SFTP and SCP to a SSH honeypot. Although earlier variants had been observed scanning for SSH servers, and attempting to propagate the malware via SSH as part of its worming procedure, researchers had yet to observe successful implantation of a P2Pinfect sample using this method - until now.

In keeping with similar botnet families, P2Pinfect includes a number of common username/password pairs embedded within the MIPS binary itself. The malware will then iterate through these pairs, initiating a SSH connection with servers identified during the scanning phase to conduct a brute force attack. 

It was assumed that SSH would be the primary method of propagation for the MIPS variant, due to routers and other embedded devices being more likely to utilize SSH. However, additional research shows that it is in fact possible to run the Redis server on MIPS. This is achievable via an OpenWRT package named redis-server. [4]

It is unclear what use-case running Redis on an embedded MIPS device solves, or whether it is commonly encountered in the wild. If such a device is compromised by P2Pinfect and has the Redis-server package installed, it is perfectly feasible for that node to then be used to compromise new peers via one of the reported P2Pinfect attack patterns, involving exploitation of Redis or SSH brute-forcing.

Static analysis

The MIPS variant of P2Pinfect is a 32-bit, statically-linked, ELF binary with stripped debug information. Basic static analysis revealed the presence of an additional ELF executable, along with a 32-bit Windows DLL in the PE32 format - more on this later. 

This piqued the interest of Cado analysts, as it is unusual to encounter a compiled ELF with an embedded DLL. Consequently, it was a defining feature of the original P2Pinfect samples.

Embedded Windows PE32 executable
Figure 1: Embedded Windows PE32 executable

Further analysis of the host executable revealed a structure named “BotnetConf” with members consistent in naming with the original P2Pinfect samples. 

Example of a partially populated version of the BotnetConf struct 
Figure 2: Example of a partially populated version of the BotnetConf struct 

As the name suggests, this structure defines the configuration of the malware itself, whilst also storing the IP addresses of nodes identified during the SSH and Redis scans. This, in combination with the embedded ELF and DLL, along with the use of the Rust programming language allowed for positive attribution of this sample to the P2Pinfect family.

Updated evasion - consulting tracerpid

One of the more interesting aspects of the MIPS sample was the inclusion of a new evasion technique. Shortly after execution, the sample calls fork() to spawn a child process. 

The child process then proceeds to access /proc using openat(), determines its own Process Identifier (PID) using the Linux getpid() syscall, and then uses this PID to consult the relevant /proc subdirectory and read the status file within that. Note that this is likely achieved in the source code by resolving the symbolic link at /proc/self/status.

Example contents of /proc/pid/status when process not being traced
Figure 3: Example contents of /proc/pid/status when process not being traced

/proc/<pid>/status contains human-readable metadata and other information about the process itself, including memory usage and the name of the command currently being run. Importantly, the status file also contains a field TracerPID:. This field is assigned a value of 0 if the current process is not being traced by dynamic analysis tools, such as strace and ltrace.

Example MIPS disassembly showing reading of /proc/pid/status file
Figure 4: Example MIPS disassembly showing reading of /proc/pid/status file

If this value is non-zero, the MIPS variant of P2Pinfect determines that it is being analyzed and will immediately terminate both the child process and its parent. 

read(5, "Name:\tmips_embedded_p\nUmask:\t002", 32) = 32 
read(5, "2\nState:\tR (running)\nTgid:\t975\nN", 32) = 32 
read(5, "gid:\t0\nPid:\t975\nPPid:\t1\nTracerPid:\t971\nUid:\t0\t0\t0\t0\nGid:\t0\t0\t0\t0", 64) = 64 
read(5, "\nFDSize:\t32\nGroups:\t0 \nNStgid:\t975\nNSpid:\t975\nNSpgid:\t975\nNSsid:\t975\nVmPeak:\t    3200 kB\nVmSize:\t    3192 kB\nVmLck:\t       0 kB\n", 128) = 128 
read(5, "VmPin:\t       0 kB\nVmHWM:\t    1564 kB\nVmRSS:\t    1560 kB\nRssAnon:\t      60 kB\nRssFile:\t    1500 kB\nRssShmem:\t       0 kB\nVmData:\t     108 kB\nVmStk:\t     132 kB\nVmExe:\t    2932 kB\nVmLib:\t       8 kB\nVmPTE:\t      16 kB\nVmSwap:\t       0 kB\nCoreDumping:\t0\nThre", 256) = 256 
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x77ff1000 
read(5, "ads:\t1\nSigQ:\t0/1749\nSigPnd:\t00000000000000000000000000000000\nShdPnd:\t00000000000000000000000000000000\nSigBlk:\t00000000000000000000000000000000\nSigIgn:\t00000000000000000000000000001000\nSigCgt:\t00000000000000000000000000000600\nCapInh:\t0000000000000000\nCapPrm:\t0000003fffffffff\nCapEff:\t0000003fffffffff\nCapBnd:\t0000003fffffffff\nCapAmb:\t0000000000000000\nNoNewPrivs:\t0\nSeccomp:\t0\nSpeculation_Store_Bypass:\tunknown\nCpus_allowed:\t1\nCpus_allowed_list:\t0\nMems_allowed:\t1\nMems_allowed_list:\t0\nvoluntary_ctxt_switches:\t92\nn", 512) = 512 
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x77fef000 
munmap(0x77ff1000, 4096)                = 0 
read(5, "onvoluntary_ctxt_switches:\t0\n", 1024) = 29 
read(5, "", 995)                        = 0 
close(5)                                = 0 
munmap(0x77fef000, 8192)                = 0 
sigaltstack({ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=8192}, NULL) = 0 
munmap(0x77ff4000, 12288)               = 0 
exit_group(-101)                        = ? 
+++ exited with 155 +++ 

Strace output demonstrating TracerPid evasion technique

Updated evasion - disabling core dumps

Interestingly, the sample will also attempt to disable Linux core dumps. This is likely used as an anti-forensics procedure as the memory regions written to disk as part of the core dump can often contain internal information about the malware itself. In the case of P2Pinfect, this would likely include information such as IP addresses of connected peers and the populated BotnetConf structure mentioned previously. 

It is also possible that the sample prevents core dumps from being created to protect the availability of the MIPS device itself. Low-powered embedded devices are unlikely to have much local storage available and core dumps could quickly fill what little storage they do have, affecting performance of the device itself.

A screen shot of a computer codeAI-generated content may be incorrect.
Image 5

This procedure can be observed during dynamic analysis, with the binary utilising the prctl() syscall and passing the parameters PR_SET_DUMPABLE, SUID_DUMP_DISABLE.

munmap(0x77ff1000, 4096)                = 0 
prctl(PR_SET_DUMPABLE, SUID_DUMP_DISABLE) = 0 
prlimit64(0, RLIMIT_CORE, {rlim_cur=0, rlim_max=0}, NULL) = 0 

Example strace output demonstrating disabling of core dumps

Embedded DLL

As mentioned in the Static Analysis section, the MIPS variant of P2Pinfect includes an embedded 64-bit Windows DLL. This DLL acts as a malicious loadable module for Redis, implementing the system.exec functionality to allow the running of shell commands on a compromised host.

Disassembly of the Redis module entrypoint
Figure 6: Disassembly of the Redis module entrypoint, mapping the system.exec command to a handler

This is consistent with the previous examples of P2Pinfect, and demonstrates that the intention is to utilize MIPS devices for the Redis-specific initial access attack patterns mentioned throughout this blog. 

Interestingly, this embedded DLL also includes a Virtual Machine (VM) evasion function, demonstrating the lengths that the P2Pinfect developers have taken to hinder the analysis process. In the DLLs main function, a call can be observed to a function helpfully labelled anti_vm by IDAs Lumina feature.

Decompiler output showing call to anti_vm function
Figure 7: Decompiler output showing call to anti_vm function

Viewing the function itself, it can be seen that researchers Christopher Gardner and Moritz Raabe have identified it as a known VM evasion method in other malware samples.

IDA’s graph view for the anti_vm function showing Lumina annotations
Figure 8: IDA’s graph view for the anti_vm function showing Lumina annotations

Conclusion

P2Pinfect’s continued evolution and broadened targeting appear to be the utilization of a variety of evasion techniques demonstrate an above-average level of sophistication when it comes to malware development. This is a botnet that will continue to grow until it’s properly utilized by its operators. 

While much of the functionality of the MIPS variant is consistent with the previous variants of this malware, the developer’s efforts in making both the host and embedded executables as evasive as possible show a continued commitment to complicating the analysis procedure. The use of anti-forensics measures such as the disabling of core dumps on Linux systems also supports this.

Indicators of compromise (IoCs)

Files SHA256

MIPS ELF 8b704d6334e59475a578d627ae4bcb9c1d6987635089790350c92eafc28f5a6c

Embedded DLL Redis Module  d75d2c560126080f138b9c78ac1038ff2e7147d156d1728541501bc801b6662f

References:

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-0543

[2] https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/

[3] https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/

[4] https://openwrt.org/packages/pkgdata/redis-server

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
The Darktrace Community

More in this series

No items found.

Blog

/

/

September 23, 2025

It’s Time to Rethink Cloud Investigations

Default blog imageDefault blog image

Cloud Breaches Are Surging

Cloud adoption has revolutionized how businesses operate, offering speed, scalability, and flexibility. But for security teams, this transformation has introduced a new set of challenges, especially when it comes to incident response (IR) and forensic investigations.

Cloud-related breaches are skyrocketing – 82% of breaches now involve cloud-stored data (IBM Cost of a Data Breach, 2023). Yet incidents often go unnoticed for days: according to a 2025 report by Cybersecurity Insiders, of the 65% of organizations experienced a cloud-related incident in the past year, only 9% detected it within the first hour, and 62% took more than 24 hours to remediate it (Cybersecurity Insiders, Cloud Security Report 2025).

Despite the shift to cloud, many investigation practices remain rooted in legacy on-prem approaches. According to a recent report, 65% of organizations spend approximately 3-5 days longer when investigating an incident in the cloud vs. on premises.

Cloud investigations must evolve, or risk falling behind attackers who are already exploiting the cloud’s speed and complexity.

4 Reasons Cloud Investigations Are Broken

The cloud’s dynamic nature – with its ephemeral workloads and distributed architecture – has outpaced traditional incident response methods. What worked in static, on-prem environments simply doesn’t translate.

Here’s why:

  1. Ephemeral workloads
    Containers and serverless functions can spin up and vanish in minutes. Attackers know this as well – they’re exploiting short-lived assets for “hit-and-run” attacks, leaving almost no forensic footprint. If you’re relying on scheduled scans or manual evidence collection, you’re already too late.
  2. Fragmented tooling
    Each cloud provider has its own logs, APIs, and investigation workflows. In addition, not all logs are enabled by default, cloud providers typically limit the scope of their logs (both in terms of what data they collect and how long they retain it), and some logs are only available through undocumented APIs. This creates siloed views of attacker activity, making it difficult to piece together a coherent timeline. Now layer in SaaS apps, Kubernetes clusters, and shadow IT — suddenly you’re stitching together 20+ tools just to find out what happened. Analysts call it the ‘swivel-chair Olympics,’ and it’s burning hours they don’t have.
  3. SOC overload
    Analysts spend the bulk of their time manually gathering evidence and correlating logs rather than responding to threats. This slows down investigations and increases burnout. SOC teams are drowning in noise; they receive thousands of alerts a day, the majority of which never get touched. False positives eat hundreds of hours a month, and consequently burnout is rife.  
  4. Cost of delay
    The longer an investigation takes, the higher its cost. Breaches contained in under 200 days save an average of over $1M compared to those that linger (IBM Cost of a Data Breach 2025).

These challenges create a dangerous gap for threat actors to exploit. By the time evidence is collected, attackers may have already accessed or exfiltrated data, or entrenched themselves deeper into your environment.

What’s Needed: A New Approach to Cloud Investigations

It’s time to ditch the manual, reactive grind and embrace investigations that are automated, proactive, and built for the world you actually defend. Here’s what the next generation of cloud forensics must deliver:

  • Automated evidence acquisition
    Capture forensic-level data the moment a threat is detected and before assets disappear.
  • Unified multi-cloud visibility
    Stitch together logs, timelines, and context across AWS, Azure, GCP, and hybrid environments into a single unified view of the investigation.
  • Accelerated investigation workflows
    Reduce time-to-insight from hours or days to minutes with automated analysis of forensic data, enabling faster containment and recovery.
  • Empowered SOC teams
    Fully contextualised data and collaboration workflows between teams in the SOC ensure seamless handover, freeing up analysts from manual collection tasks so they can focus on what matters: analysis and response.

Attackers are already leveraging the cloud’s agility. Defenders must do the same — adopting solutions that match the speed and scale of modern infrastructure.

Cloud Changed Everything. It’s Time to Change Investigations.  

The cloud fundamentally reshaped how businesses operate. It’s time for security teams to rethink how they investigate threats.

Forensics can no longer be slow, manual, and reactive. It must be instant, automated, and cloud-first — designed to meet the demands of ephemeral infrastructure and multi-cloud complexity.

The future of incident response isn’t just faster. It’s smarter, more scalable, and built for the environments we defend today, not those of ten years ago.  

On October 9th, Darktrace is revealing the next big thing in cloud security. Don’t miss it – sign up for the webinar.

darktrace live event launch
Continue reading
About the author
Kellie Regan
Director, Product Marketing - Cloud Security

Blog

/

/

September 22, 2025

Understanding the Canadian Critical Cyber Systems Protection Act

Default blog imageDefault blog image

Introduction: The Canadian Critical Cyber Systems Protection Act

On 18 June 2025, the Canadian federal Government introduced Bill C-8 which, if adopted following completion of the legislative process, will enact the Critical Cyber Systems Protection Act (CCSPA) and give Canada its first federal, cross-sector and legally binding cybersecurity regime for designated critical infrastructure providers. As of August 2025, the Bill has completed first reading and stands at second reading in the Canadian House of Commons.

Political context

The measure revives most of the stalled 2022 Bill C-26 “An Act Respecting Cyber Security” which “died on Paper” when Parliament was prorogued in January 2025, in the wake of former Prime Minister Justin Trudeau’s resignation.

The new government, led by Mark Carney since March 2025, has re-tabled the package with the same two-part structure: (1) amendments to the Telecommunications Act that enable security directions to telecoms; and (2) a new CCSPA setting out mandatory cybersecurity duties for designated operators. This blog focuses on the latter.

If enacted, Canada will join fellow Five Eyes partners such as the United Kingdom and Australia, which already impose statutory cyber-security duties on operators of critical national infrastructure.

The case for new cybersecurity legislation in Canada

The Canadian cyber threat landscape has expanded. The country's national cyber authority, the Canadian Centre for Cybersecurity (Cyber Centre), recently assessed that the number of cyber incidents has “sharply increased” in the last two years, as has the severity of those incidents, with essential services providers among the targets. Likewise, in its 2025-2026 National Cyber Threat Assessment, the Cyber Centre warned that AI technologies are “amplifying cyberspace threats” by lowering barriers to entry, improving the speed and sophistication of social-engineering attacks and enabling more precise operations.

This context mirrors what we are seeing globally: adversaries, including state actors, are taking advantage of the availability and sophistication of AI tools, which they have leverage to amplify the effectiveness of their operations. In this increasingly complex landscape, regulation must keep pace and evolve in step with the risk.

What the Canadian Critical Cyber Systems Protection Act aims to achieve

  • If enacted, the CCSPA will apply to operators in federally regulated critical infrastructure sectors which are vital to national security and public safety, as further defined in “Scope” below (the “Regulated Entities”), to adopt and comply with a minimum standard of cybersecurity duties (further described below)  which align with those its Five Eyes counterparts are already adhering to.

Who does the CCSPA apply to

The CCSPA would apply to designated operators that deliver services or systems within federal jurisdiction in the following priority areas:

  • telecommunications services
  • interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems
  • banking and clearing  
  • settlement systems

The CCSPA would also grant the Governor in Council (Federal Cabinet) with powers to add or remove entities in scope via regulation.

Scope of the CCSPA

The CCSPA introduces two key instruments:

First, it strengthens cyber threat information sharing between responsible ministers, sector regulators, and the Communications Security Establishment (through the Cyber Centre).

Second, it empowers the Governor in Council (GIC) to issue Cyber Security Directions (CSDs) - binding orders requiring a designated operator to implement specified measures to protect a critical cyber system within defined timeframes.

CSDs may be tailored to an individual operator or applied to a class of operators and can address technology, process, or supplier risks. To safeguard security and commercial confidentiality, the CCSPA restricts disclosure of the existence or content of a CSD except as necessary to carry it out.

Locating decision-making with the GIC ensures that CSDs are made with a cross-government view that weighs national security, economic priorities and international agreement.

New obligations for designated providers

The CCSPA would impose key cybersecurity compliance and obligations on designated providers. As it stands, this includes:

  1. Establishing and maintaining cybersecurity programs: these will need to be comprehensive, proportionate and developed proactively. Once implemented, they will need to be continuously reviewed
  2. Mitigating supply chain risks: Regulated Entities will be required to assess their third-party products and services by conducting a supply chain analysis, and take active steps to mitigate any identified risks
  3. Reporting incidents:  Regulated Entities will need to be more transparent with their reporting, by making the Communications Security Establishment (CSE) aware of any incident which has, or could potentially have, an impact on a critical system. The reports must be made within specific timelines, but in any event within no more than 72 hours;
  4. Compliance with cybersecurity directions:  the government will, under the CCSPA, have the authority to issue cybersecurity directives in an effort to remain responsive to emerging threats, which Regulated Entities will be required to follow once issued
  5. Record keeping: this shouldn’t be a surprise to many of those Regulated Entities which fall in scope, which are already likely to be subject to record keeping requirements. Regulated Entities should expect to be maintaining records and conducting audits of their systems and processes against the requirements of the CCSPA

It should be noted, however, that this may be subject to change, so Regulated Entities should keep an eye on the progress of the Bill as it makes its way through parliament.

Enforcement of the Act would be carried out by sector-specific regulators identified in the Act such as the Office of the Superintendent of Financial Institutions, Minister of Transport, Canada Energy Regulator, Canadian Nuclear Safety Commission and the Ministry of Industry.

What are the penalties for CCSPA non-compliance?

When assessing the penalties associated with non-compliance with the requirements of the CCSPA, it is clear that such non-compliance will be taken seriously, and the severity of the penalties follows the trend of those applied by the European Union to key pieces of EU legislation. The “administrative monetary penalties” (AMPs) set by regulation could see fines being applied of up to C$1 million for individuals and up to C$15 million for organizations.

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI