Last seven days
- First activity
- Jul 18, 2026
- Last activity
- Jul 18, 2026
- Feed role
- Distribution
- Host form
- 1 IP / 0 hostnames
RedTail is a Linux-focused cryptocurrency-mining malware family that has also been described as a multi-function botnet framework.
Profile source: Mallory opens in a new tabRedtail
RedTail is a Linux-focused cryptocurrency-mining malware family that has also been described as a multi-function botnet framework. Across the reporting provided, it is delivered through multiple initial-access vectors, including SSH brute-force compromises using weak credentials and exploitation of newly disclosed vulnerabilities such as CVE-2024-4577 in PHP-CGI deployments, with additional references to exploitation of PAN-OS CVE-2024-3400 and other edge-device flaws to deploy RedTail. Operators uploaded or downloaded architecture-specific payloads and helper scripts, then renamed and executed the final payload as redtail or a hidden .redtail file.
Observed delivery chains used shell scripts such as setup.sh and clean.sh/clean to determine CPU architecture, locate writable and executable directories to bypass noexec restrictions, fetch the appropriate binary, and remove evidence. Reported supported architectures include x86_64, i686, arm7/armv7, arm8/aarch64. Cleaner functionality removed competing miners such as c3pool_miner, deleted existing crontab entries, and filtered suspicious cron artifacts. Persistence mechanisms directly mentioned include crontab @reboot entries, systemd persistence, SSH authorized_keys modification with chattr protection, and in one report a PAM authentication backdoor that survives password changes.
Capability reporting consistently identifies RedTail as a cryptominer. Public analyses tied it to XMRig-derived mining functionality, with one later report stating the malware supports dual CPU/GPU mining via XMRig and NBminer. Strings referenced CryptoNight-related mining and cryptocurrencies including Monero, Sumokoin, ArQma, Graft, Ravencoin, Wonero, Zephyr, Townforge, and YadaCoin. Additional behavior observed in samples and detonations includes UPX packing in some variants, modification or flushing of iptables rules, creation of listening sockets, and command-and-control communications. One analysis observed inbound TCP port 45971 being allowed and outbound communication to a C2 server on port 43782, plus attempted contact to proxies.internetshadow[.]org on port 2137. Another report described ChaCha20-Poly1305-encrypted C2 over HTTP/2 TLS and dynamic runtime configuration from C2 rather than hardcoded wallet or pool data.
More advanced functionality reported for a 2026-analyzed variant includes an SSH brute-force worm using an embedded credential dictionary and parsing known_hosts for lateral movement, self-deployment over SFTP while masquerading as sshd, and a PAM backdoor accepting a hardcoded password for any user. Reporting also notes hidden .redtail artifacts, architecture-aware droppers using uname/uname -mp, and repeated use against internet-exposed Linux systems and edge devices. Associated infrastructure and indicators directly mentioned in the content include 94.156.177[.]109, 194.59.31[.]109, 87.120.117[.]92, 185.172.128[.]93, proxies.internetshadow[.]org, and SSH-source IPs such as 193.222.96.163, 45.95.147.236, 5.182.211.148, 94.103.125.37, and 87.120.113.231. The reporting characterizes the operator(s) as financially motivated opportunists, with one source assessing likely Eastern Europe or Russia at low confidence.
Samples
049a2ed3406e7c70ce358c108d1f57001d6f2f1f924215f06d9e43b6c213f62b 51228996cf0280efc9b4c45d499e8527029667335b7b26951990feac7f22595a 59c29436755b0778e968d49feeae20ed65f5fa5e35f9f7965b8ed93420db91e5 7c8e7619c5398d3b857e6f72cf791e2c2e27762ddd8521eb8971c893cdb8b1fc d45935ba4fc0213cff236e68a531c80aef0e40c5149866ec8435130e512b5e65 Reported operators
A truncated RedTail cryptominer sample pulled from MalwareBazaar led us to a full 17.6MB Go binary that revealed capabilities well beyond what prior Akamai and SANS reporting documented. This is not just an XMRig dropper. It is a multi-functional botnet framework with dual CPU/GPU mining (XMRig + NBminer), a PAM authentication backdoor that survives password changes, an SSH brute-force worm with an embedded credential dictionary, systemd persistence, and ChaCha20-encrypted C2 communications -- all compiled into a single Go binary targeting four architectures.
Exploited software
MITRE ATT&CK
Reporting
A truncated RedTail cryptominer sample pulled from MalwareBazaar led us to a full 17.6MB Go binary that revealed capabilities well beyond what prior Akamai and SANS reporting documented. This is not just an XMRig dropper. It is a multi-functional botnet framework with dual CPU/GPU mining (XMRig + NBminer), a PAM authentication backdoor that survives password changes, an SSH brute-force worm with an embedded credential dictionary, systemd persistence, and ChaCha20-encrypted C2 communications -- all compiled into a single Go binary targeting four architectures.
...threat actors attempting to deliver botnet and cryptocurrency miner malware families like RondoDox, Redtail, and ShadowV2 by exploiting the following flaws...
"...terminate any process related to ... other malware (e.g., cryptominers or Redtail variants) so as to maintain operational stealth."
For example, we observed RedTail cryptominer droppers using the uname βmp command to find the hardware platform type and processor architecture.
Finally, the next-stage payload is renamed redtail and executed.
In this analysis, I will focus on a specific strain of malware called redtail and the scripts that enable its execution. redtail is a cryptocurrency mining malware (coin miner) that stealthily installs itself on compromised systems, exploiting the hostβs resources for unauthorized cryptocurrency mining to benefit the threat actor.
Today, we'll look at a malware named βredtailβ and its purpose falls under the category, "Coin miners", software illegally uploaded to hosts for the purpose of covertly mining cryptocurrency for a remote actor by hijacking a hostβs resources.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.