HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.
While the origins of the threat actor are presently not known, they make it a point to note in a “mini blog” embedded into the malware that the mining activity is “legal in my country” and that they do it because “it almost doesn’t harm human life and feelings (if done right).”