Skip to content
Malware family

Redtail

RedTail is a Linux-focused cryptocurrency-mining malware family that has also been described as a multi-function botnet framework.

Profile source: Mallory opens in a new tab

Redtail

Family profile

RedTail is a Linux-focused cryptocurrency-mining malware family that has also been described as a multi-function botnet framework. Across the reporting provided, it is delivered through multiple initial-access vectors, including SSH brute-force compromises using weak credentials and exploitation of newly disclosed vulnerabilities such as CVE-2024-4577 in PHP-CGI deployments, with additional references to exploitation of PAN-OS CVE-2024-3400 and other edge-device flaws to deploy RedTail. Operators uploaded or downloaded architecture-specific payloads and helper scripts, then renamed and executed the final payload as redtail or a hidden .redtail file.

Observed delivery chains used shell scripts such as setup.sh and clean.sh/clean to determine CPU architecture, locate writable and executable directories to bypass noexec restrictions, fetch the appropriate binary, and remove evidence. Reported supported architectures include x86_64, i686, arm7/armv7, arm8/aarch64. Cleaner functionality removed competing miners such as c3pool_miner, deleted existing crontab entries, and filtered suspicious cron artifacts. Persistence mechanisms directly mentioned include crontab @reboot entries, systemd persistence, SSH authorized_keys modification with chattr protection, and in one report a PAM authentication backdoor that survives password changes.

Capability reporting consistently identifies RedTail as a cryptominer. Public analyses tied it to XMRig-derived mining functionality, with one later report stating the malware supports dual CPU/GPU mining via XMRig and NBminer. Strings referenced CryptoNight-related mining and cryptocurrencies including Monero, Sumokoin, ArQma, Graft, Ravencoin, Wonero, Zephyr, Townforge, and YadaCoin. Additional behavior observed in samples and detonations includes UPX packing in some variants, modification or flushing of iptables rules, creation of listening sockets, and command-and-control communications. One analysis observed inbound TCP port 45971 being allowed and outbound communication to a C2 server on port 43782, plus attempted contact to proxies.internetshadow[.]org on port 2137. Another report described ChaCha20-Poly1305-encrypted C2 over HTTP/2 TLS and dynamic runtime configuration from C2 rather than hardcoded wallet or pool data.

More advanced functionality reported for a 2026-analyzed variant includes an SSH brute-force worm using an embedded credential dictionary and parsing known_hosts for lateral movement, self-deployment over SFTP while masquerading as sshd, and a PAM backdoor accepting a hardcoded password for any user. Reporting also notes hidden .redtail artifacts, architecture-aware droppers using uname/uname -mp, and repeated use against internet-exposed Linux systems and edge devices. Associated infrastructure and indicators directly mentioned in the content include 94.156.177[.]109, 194.59.31[.]109, 87.120.117[.]92, 185.172.128[.]93, proxies.internetshadow[.]org, and SSH-source IPs such as 193.222.96.163, 45.95.147.236, 5.182.211.148, 94.103.125.37, and 87.120.113.231. The reporting characterizes the operator(s) as financially motivated opportunists, with one source assessing likely Eastern Europe or Russia at low confidence.

Observed infrastructure

Last seven days

First activity
Jul 18, 2026
Last activity
Jul 18, 2026
Feed role
Distribution
Host form
1 IP / 0 hostnames

Leading locations

  • NL1

Leading providers

  • SWISSNET LLC1

Infrastructure traits

  • Hosting 1

Samples

Recent associated samples

Reported operators

Threat actors

1 named in public reporting
Lazarus

A truncated RedTail cryptominer sample pulled from MalwareBazaar led us to a full 17.6MB Go binary that revealed capabilities well beyond what prior Akamai and SANS reporting documented. This is not just an XMRig dropper. It is a multi-functional botnet framework with dual CPU/GPU mining (XMRig + NBminer), a PAM authentication backdoor that survives password changes, an SSH brute-force worm with an embedded credential dictionary, systemd persistence, and ChaCha20-encrypted C2 communications -- all compiled into a single Go binary targeting four architectures.

Exploited software

Vulnerabilities linked to Redtail

3 CVEs

MITRE ATT&CK

Redtail in ATT&CK

32 distinct techniques

Reporting

Research mentioning Redtail

Mar 12
Breakglass Intel

RedTail Reloaded: Inside a Go-Based Cryptomining Botnet That Mines Your CPU, Backdoors Your PAM, and Worms Through Your SSH - Breakglass Intelligence - Breakglass Intelligence

A truncated RedTail cryptominer sample pulled from MalwareBazaar led us to a full 17.6MB Go binary that revealed capabilities well beyond what prior Akamai and SANS reporting documented. This is not just an XMRig dropper. It is a multi-functional botnet framework with dual CPU/GPU mining (XMRig + NBminer), a PAM authentication backdoor that survives password changes, an SSH brute-force worm with an embedded credential dictionary, systemd persistence, and ChaCha20-encrypted C2 communications -- all compiled into a single Go binary targeting four architectures.

Dec 13
The Hacker News

CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks

...threat actors attempting to deliver botnet and cryptocurrency miner malware families like RondoDox, Redtail, and ShadowV2 by exploiting the following flaws...

Jul 8
The Hacker News

RondoDox Botnet Exploits Flaws in TBK DVRs and Four-Faith Routers to Launch DDoS Attacks

"...terminate any process related to ... other malware (e.g., cryptominers or Redtail variants) so as to maintain operational stealth."

Mar 11
Catonetworks

Cato CTRL: Ballista - New IoT Botnet Targeting Thousands of TP-Link Archer Routers | Cato Networks

For example, we observed RedTail cryptominer droppers using the uname –mp command to find the hardware platform type and processor architecture.

Feb 27
Securite360

How Long Can a Vulnerable Server Stay Clean on the Internet? A Honeypot Tale - Securite360

Finally, the next-stage payload is renamed redtail and executed.

Jan 9
Sans Isc

Examining Redtail Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics [Guest Diary]

In this analysis, I will focus on a specific strain of malware called redtail and the scripts that enable its execution. redtail is a cryptocurrency mining malware (coin miner) that stealthily installs itself on compromised systems, exploiting the host’s resources for unauthorized cryptocurrency mining to benefit the threat actor.

May 23
Sans Isc

Analysis of ?redtail? File Uploads to ICS Honeypot, a Multi-Architecture Coin Miner [Guest Diary]

Today, we'll look at a malware named β€œredtail” and its purpose falls under the category, "Coin miners", software illegally uploaded to hosts for the purpose of covertly mining cryptocurrency for a remote actor by hijacking a host’s resources.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.