RedTail is a Linux-focused cryptocurrency-mining malware family that has also been described as a multi-function botnet framework. Across the reporting provided, it is delivered through multiple initial-access vectors, including SSH brute-force compromises using weak credentials and exploitation of newly disclosed vulnerabilities such as CVE-2024-4577 in PHP-CGI deployments, with additional references to exploitation of PAN-OS CVE-2024-3400 and other edge-device flaws to deploy RedTail. Operators uploaded or downloaded architecture-specific payloads and helper scripts, then renamed and executed the final payload as redtail or a hidden .redtail file.
Observed delivery chains used shell scripts such as setup.sh and clean.sh/clean to determine CPU architecture, locate writable and executable directories to bypass noexec restrictions, fetch the appropriate binary, and remove evidence. Reported supported architectures include x86_64, i686, arm7/armv7, arm8/aarch64. Cleaner functionality removed competing miners such as c3pool_miner, deleted existing crontab entries, and filtered suspicious cron artifacts. Persistence mechanisms directly mentioned include crontab @reboot entries, systemd persistence, SSH authorized_keys modification with chattr protection, and in one report a PAM authentication backdoor that survives password changes.
Capability reporting consistently identifies RedTail as a cryptominer. Public analyses tied it to XMRig-derived mining functionality, with one later report stating the malware supports dual CPU/GPU mining via XMRig and NBminer. Strings referenced CryptoNight-related mining and cryptocurrencies including Monero, Sumokoin, ArQma, Graft, Ravencoin, Wonero, Zephyr, Townforge, and YadaCoin. Additional behavior observed in samples and detonations includes UPX packing in some variants, modification or flushing of iptables rules, creation of listening sockets, and command-and-control communications. One analysis observed inbound TCP port 45971 being allowed and outbound communication to a C2 server on port 43782, plus attempted contact to proxies.internetshadow[.]org on port 2137. Another report described ChaCha20-Poly1305-encrypted C2 over HTTP/2 TLS and dynamic runtime configuration from C2 rather than hardcoded wallet or pool data.
More advanced functionality reported for a 2026-analyzed variant includes an SSH brute-force worm using an embedded credential dictionary and parsing known_hosts for lateral movement, self-deployment over SFTP while masquerading as sshd, and a PAM backdoor accepting a hardcoded password for any user. Reporting also notes hidden .redtail artifacts, architecture-aware droppers using uname/uname -mp, and repeated use against internet-exposed Linux systems and edge devices. Associated infrastructure and indicators directly mentioned in the content include 94.156.177[.]109, 194.59.31[.]109, 87.120.117[.]92, 185.172.128[.]93, proxies.internetshadow[.]org, and SSH-source IPs such as 193.222.96.163, 45.95.147.236, 5.182.211.148, 94.103.125.37, and 87.120.113.231. The reporting characterizes the operator(s) as financially motivated opportunists, with one source assessing likely Eastern Europe or Russia at low confidence.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In this case, the attacker was automatically trying to exploit CVE-2024-4577, which affects certain versions of PHP 8 when using Apache and PHP-CGI on Windows. | Finally, the next-stage payload is renamed redtail and executed.
As recently as April 2024, a new variant of redtail was documented, exploiting a critical vulnerability in Palo Alto Networks' PAN-OS (CVE-2024-3400). This vulnerability allows a threat actor to create an arbitrary file that could eventually enable command execution with root privileges on the NGFW, bypassing security measures in place. | In this analysis, I will focus on a specific strain of malware called redtail and the scripts that enable its execution. redtail is a cryptocurrency mining malware (coin miner) that stealthily installs itself on compromised systems, exploiting the host’s resources for unauthorized cryptocurrency mining to benefit the threat actor.
Those reports described a capable but relatively straightforward cryptominer that exploited Log4j, PAN-OS, and ThinkPHP vulnerabilities to deploy XMRig. | A truncated RedTail cryptominer sample pulled from MalwareBazaar led us to a full 17.6MB Go binary that revealed capabilities well beyond what prior Akamai and SANS reporting documented. This is not just an XMRig dropper. It is a multi-functional botnet framework with dual CPU/GPU mining (XMRig + NBminer), a PAM authentication backdoor that survives password changes, an SSH brute-force worm with an embedded credential dictionary, systemd persistence, and ChaCha20-encrypted C2 communications -- all compiled into a single Go binary targeting four architectures.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A truncated RedTail cryptominer sample pulled from MalwareBazaar led us to a full 17.6MB Go binary that revealed capabilities well beyond what prior Akamai and SANS reporting documented. This is not just an XMRig dropper. It is a multi-functional botnet framework with dual CPU/GPU mining (XMRig + NBminer), a PAM authentication backdoor that survives password changes, an SSH brute-force worm with an embedded credential dictionary, systemd persistence, and ChaCha20-encrypted C2 communications -- all compiled into a single Go binary targeting four architectures.
32 distinct techniques documented for this family, organized by ATT&CK tactic.
This script appears to remove any attempt a previous threat actor has made to install cryptomining software, specifically disabling c3pool_miner, a Monero cryptomining tool, as well as any malicious cronjobs and scheduled tasks.
This script appears to remove any attempt a previous threat actor has made to install cryptomining software, specifically disabling c3pool_miner, a Monero cryptomining tool, as well as any malicious cronjobs and scheduled tasks.
Dynamic analysis revealed that the malware removes existing cron jobs and creates a new one to ensure that x86_64 is automatically executed every time the system reboots
On October 15, 2024, at 00:47:54 UTC, a threat actor using IP address 5.182.211.148 connected to the honeypot with the credentials "root/nimda."
The threat actor then adds a SSH public key to the authorized_keys file by using the echo ssh-rsa ... rsa-key-20230629 command. This allowed the threat actor to gain persistent access without needing a password, establishing a backdoor.
Layer 1 -- systemd (boot persistence): A systemd service unit with WantedBy=multi-user.target ensures the malware starts on every boot.
RedTail's binary includes CGo bindings to the complete PAM API ... It is a full PAM module that can intercept and override the authentication process itself. Once installed, the malware can accept a hardcoded password for any user account on the system.
This script appears to remove any attempt a previous threat actor has made to install cryptomining software, specifically disabling c3pool_miner, a Monero cryptomining tool, as well as any malicious cronjobs and scheduled tasks.
Dynamic analysis revealed that the malware removes existing cron jobs and creates a new one to ensure that x86_64 is automatically executed every time the system reboots
As recently as April 2024, a new variant of redtail was documented, exploiting a critical vulnerability in Palo Alto Networks' PAN-OS (CVE-2024-3400). This vulnerability allows a threat actor to create an arbitrary file that could eventually enable command execution with root privileges on the NGFW.
On October 15, 2024, at 00:47:54 UTC, a threat actor using IP address 5.182.211.148 connected to the honeypot with the credentials "root/nimda."
According to static analysis, this binary is packed using UPX.
the script copies the contents of the relevant redtail executable to the “ .redtail ” file on the host, and executes this new file, after which the original uploaded & unhidden redtail files are then deleted.
After successful authentication, the binary deploys itself to the new target via SFTP, masquerading as sshd -- the legitimate SSH daemon process name.
After the script runs, the threat actor forcefully removes any evidence of the clean.sh script; this is accomplished using the rm -rf command... the threat actor follows the same steps to make setup.sh executable, runs the script, and then forcibly removes any evidence that the script was present on the system.
The cleaner script is primarily used to remove c3pool_miner, another cryptominer that may have previously infected the machine and could be running as a service.
On October 15, 2024, at 00:47:54 UTC, a threat actor using IP address 5.182.211.148 connected to the honeypot with the credentials "root/nimda."
The threat actor then uses the chattr (change attribute) command with -ia to remove the immutable and append only attributes for the authorized_keys file... Then the chattr +ia command is run to reestablish the immutable and append only attributes to the authorized_keys file. This makes the file more difficult to delete, aiding in maintaining persistence.
RedTail's binary includes CGo bindings to the complete PAM API ... It is a full PAM module that can intercept and override the authentication process itself. Once installed, the malware can accept a hardcoded password for any user account on the system.
the actor successfully logs in using the [ root/Passw0rd123 ] credentials... The IP tried to login via SSH using brute force
The SSH worm component ... Brute-force with embedded dictionary ... The embedded credential dictionary is predictable but effective
RedTail's binary includes CGo bindings to the complete PAM API ... It is a full PAM module that can intercept and override the authentication process itself. Once installed, the malware can accept a hardcoded password for any user account on the system.
The uname -a command is run, displaying system information such as kernel version, hostname, and operating system.
Thanks to dynamic analysis, it is easy to identify the malware’s C2 server. The malware connects to this C2 server on port 43782.
The C2 channel itself uses HTTP/2 over TLS, making traffic analysis difficult
42 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RedTail is a multi-functional Linux botnet and cryptomining malware framework. In this variant it performs dual CPU/GPU mining, deploys XMRig and NBminer, installs a PAM authentication backdoor, propagates via SSH brute-force and SFTP, establishes persistence through systemd and SSH authorized_keys, and uses ChaCha20-Poly1305 encrypted C2 with dynamically delivered mining configuration.
Redtail is a malware family used for botnet activities and cryptocurrency mining, targeting industrial routers via known vulnerabilities.
Referenced as another malware family/variant that RondoDox attempts to detect and terminate on infected hosts to reduce competition and improve stealth.
RedTail is referenced as a cryptominer whose droppers check system architecture before downloading the appropriate payload.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.