RedTail Reloaded: Inside a Go-Based Cryptomining Botnet That Mines Your CPU, Backdoors Your PAM, and Worms Through Your SSH
TL;DR: A truncated RedTail cryptominer sample pulled from MalwareBazaar led us to a full 17.6MB Go binary that revealed capabilities well beyond what prior Akamai and SANS reporting documented. This is not just an XMRig dropper. It is a multi-functional botnet framework with dual CPU/GPU mining (XMRig + NBminer), a PAM authentication backdoor that survives password changes, an SSH brute-force worm with an embedded credential dictionary, systemd persistence, and ChaCha20-encrypted C2 communications -- all compiled into a single Go binary targeting four architectures. Six dropper script variants point to four C2 download servers, three of which share a common Neterra (Bulgaria) backbone. The campaign has been active since at least March 2023, with 274 unique VirusTotal submissions confirming widespread deployment. No wallet addresses were recovered -- the operator runs private mining pools and pushes all configuration dynamically from C2 at runtime, making static IOC detection nearly useless.
The Sample That Was Missing 28 Megabytes
This investigation started with a familiar scenario: a fresh upload to MalwareBazaar tagged as RedTail. SHA256 6168f5d0...edcda246, classified by ReversingLabs as "Multiverze," uploaded from France on March 10, 2026.
The first thing that went wrong was trying to analyze it.
The file is 2,097,152 bytes -- exactly 2MB. But when you parse the ELF headers, the LOAD segments reference 30.3MB of data. The section headers point to offset 0x1CE6018 (30,302,232 bytes), which is roughly 28MB beyond the end of the file. Someone -- whether the collector, a honeypot, or the dropper itself -- truncated this binary during capture. The sample would not execute. Static analysis would have to do.
But this is where the investigation got interesting, because MalwareBazaar had something else: a companion sample. SHA256 db7fc2fe...6e843b, 17.6MB, uploaded the same day. This one had enough Go runtime metadata intact to tell us exactly what this malware does -- and it does considerably more than anyone had previously documented.
What Was Found vs. What Was Known
Prior public reporting on RedTail comes primarily from Akamai's 2024 research and two SANS Internet Storm Center diaries. Those reports described a capable but relatively straightforward cryptominer that exploited Log4j, PAN-OS, and ThinkPHP vulnerabilities to deploy XMRig. Our analysis of the Multiverze variant reveals a substantially more advanced framework.
| Aspect | Prior Reporting (Akamai/SANS 2024) | Our Findings |
|---|---|---|
| Mining | XMRig only (CPU) | XMRig + NBminer (dual CPU/GPU mining) |
| Propagation | Exploit-based (Log4j, PAN-OS, ThinkPHP) | Exploits + SSH brute-force worm with credential dictionary |
| Backdoor | SSH key persistence | SSH keys + full PAM authentication backdoor |
| Persistence | Cron jobs | Cron + systemd service units |
| C2 Infrastructure | Not fully mapped | 4 servers across 3 hosting providers, 3 on Neterra backbone |
| Config Encryption | Not documented | ChaCha20/Salsa20 with Poly1305 AEAD |
| Language | C/C++ (XMRig-based) | Go (CGo) with C interop for PAM and system libraries |
| Wallet | Private mining pools (no public wallet) | Confirmed: dynamic config delivery, zero hardcoded IOCs |
| Scope | Honeypot observations | 274 VT submissions since March 2023 |
Every column in that table where our findings diverge from prior reporting represents a capability upgrade that defenders need to account for. The addition of NBminer means GPU-equipped servers are now targets. The PAM backdoor means password rotations will not remediate a compromise. The SSH worm means lateral movement happens without any exploit -- just a dictionary of bad passwords.
The Attack Chain: From Bash Script to Full Compromise
The full infection sequence runs through six stages. Each one is designed to maximize the chances of successful deployment on whatever Linux system the dropper lands on.
[Initial Access] [Execution] [Pre-Deployment]
Exploit / SSH brute --> Bash dropper fires --> "clean" script kills
(Log4j, PAN-OS, dlr() downloads competing miners
ThinkPHP, SSH creds) arch-specific payload (turf protection)
|
v
[Architecture Detection]
uname -mp --> x86_64 / i686 / aarch64 / arm7
Find writable, exec-capable dir (noexec bypass)
|
v
[Installation] [Lateral Movement]
Rename to .redtail -------> SSH worm component
Install systemd service Brute-force with
Deploy PAM backdoor embedded dictionary
Write SSH authorized_keys Deploy via SFTP as "sshd"
|
v
[Mining Operations]
C2 pushes config at runtime:
- XMRig (CPU, Monero/RandomX)
- NBminer (GPU, multi-algo)
- Pool address, wallet, algorithm
ChaCha20-Poly1305 encrypted C2 channel
Two things stand out about this chain. First, the "clean" script -- a pre-deployment step that kills competing miners before RedTail installs itself. This is turf warfare. The operator knows their targets are likely already compromised by other cryptojacking campaigns, and they want the compute resources for themselves.
Second, the entire mining configuration is dynamic. There are no hardcoded pool addresses. No wallet strings baked into the binary. Everything comes from the C2 at runtime. This is consistent with Akamai's 2024 observation that RedTail operators run private mining pool proxies, but seeing the actual config schema confirms just how thoroughly they have decoupled the malware binary from any trackable financial indicators.
Inside the Binary: Go, CGo, and a Lot More Than Mining
The Multiverze variant is a Go binary compiled with CGo -- Go's mechanism for calling C code. This is unusual for a cryptominer and immediately tells you the developer needed capabilities that Go's standard library does not provide. In this case, that capability is PAM.
The PAM Backdoor
Linux PAM (Pluggable Authentication Modules) is the framework that handles user authentication on every major Linux distribution. When you type your password at a login prompt, su to root, or SSH into a server, PAM is what verifies your credentials.
RedTail's binary includes CGo bindings to the complete PAM API:
pam_authenticate() // Authentication bypass
pam_open_session() // Session management
pam_close_session() // Session teardown
pam_acct_mgmt() // Account management
pam_setcred() // Credential manipulation
pam_chauthtok() // Password change interception
pam_get_item() // Configuration read
pam_set_item() // Configuration write
This is not a passive credential stealer. It is a full PAM module that can intercept and override the authentication process itself. Once installed, the malware can accept a hardcoded password for any user account on the system. Change your passwords all you want -- the PAM backdoor does not care. It operates at a layer below password storage.
For incident responders, this is the most dangerous finding in the entire investigation. A system compromised by this variant cannot be remediated by password rotation alone. You have to audit every PAM module on the system -- every shared object in /lib/security/ and every configuration file in /etc/pam.d/ -- to verify that no unauthorized modules have been installed.
The SSH Worm
The binary embeds a full SSH client library (golang.org/x/crypto/ssh) and uses it for automated lateral movement. The Go type metadata reveals the internal data structures:
type credential struct {
privatekey string
username string
ip string
password string
}
// attackqueue - queue of targets for brute-force
The worm discovers targets by parsing known_hosts files on compromised systems -- a technique that maps the trust relationships between SSH servers in an organization. Every host a compromised server has previously connected to becomes a new brute-force target.
The embedded credential dictionary is predictable but effective:
root, admin, password, 123456, 1234, master,
raspberry, qwerty, portfolio, administrator
"raspberry" tells you they are hunting Raspberry Pi devices and IoT endpoints. "portfolio" is an unusual inclusion that may target developer environments or web hosting accounts.
After successful authentication, the binary deploys itself to the new target via SFTP, masquerading as sshd -- the legitimate SSH daemon process name. On a server running dozens of SSH connections, one more sshd process does not raise alarms.
Dual Mining: CPU and GPU
Prior reporting described RedTail as an XMRig-based miner. The Multiverze variant still includes XMRig for CPU mining, but adds NBminer for GPU mining. The C2 configuration schema extracted from Go struct tags tells the full story:
{
"xmrig_enabled": true,
"xmrig_algo": "randomx",
"xmrig_poolAddr": "<delivered from C2>",
"xmrig_poolUser": "<delivered from C2>",
"xmrig_poolPass": "<delivered from C2>",
"xmrig_nicehash": false,
"nbminer_enabled": true,
"nbminer_algo": "<delivered from C2>",
"nbminer_poolAddr": "<delivered from C2>",
"nbminer_poolUser": "<delivered from C2>",
"nbminer_poolPass": "<delivered from C2>",
"downloadURL": "<payload update URL>",
"ver": "<version>",
"checksum": "<integrity hash>"
}
This dual-miner approach is strategic. Most cryptojacking campaigns target CPU because it is universally available. But GPU mining is far more profitable per watt on systems that have discrete GPUs -- which increasingly includes cloud instances, rendering farms, machine learning infrastructure, and high-end servers. By supporting both, RedTail extracts maximum value from whatever hardware it compromises.
The configuration also includes a complete process telemetry schema -- CPU usage, memory (RSS/VMS/swap/stack), page faults, thread states, I/O wait. The operator is monitoring the health and performance of their mining fleet in real time. This is not a fire-and-forget operation. It is a managed botnet.
Encryption and C2 Protocol
C2 communications are encrypted with ChaCha20-Poly1305, an authenticated encryption scheme. The telltale key expa constant (the first 8 bytes of the ChaCha20/Salsa20 key expansion string "expand 32-byte k") was found in the binary, along with references to the full chacha20poly1305 AEAD package. The C2 channel itself uses HTTP/2 over TLS, making traffic analysis difficult even for organizations with SSL inspection capabilities.
The Dropper: Six Variants, One Template
Six dropper script variants were recovered from MalwareBazaar, each following the same bash template but evolving over time. The evolution tells a story about operational maturity.
How the Dropper Works
Every variant implements the same core logic:
- Define a
dlr()function with three download methods:wget,curl, and a/dev/tcpfallback for minimal systems that have neither - Search for a writable directory that is not mounted with
noexec-- a direct bypass of a common Linux hardening measure - Download and execute a
cleanscript that kills competing miners - Detect CPU architecture via
uname -mp - Download the architecture-specific binary (x86_64, i686, aarch64, or arm7)
- Rename the binary to
.redtail(the leading dot hides it fromls) - Execute
The noexec bypass deserves attention. Hardened Linux systems mount /tmp, /var/tmp, and other world-writable directories with the noexec flag to prevent arbitrary code execution. The dropper actively searches for directories that are both writable and executable by creating test files (.testfile, .testfile2), setting the execute bit, and attempting to run them. Later variants parse /proc/mounts directly to identify candidate directories. This is not a script kiddie technique -- it shows awareness of enterprise security hardening.
Dropper Evolution Timeline
| Period | C2 IP | Key Changes |
|---|---|---|
| Jun 2024 | 185[.]172[.]128[.]93 | First variants. Basic noexec check. Plain architecture filenames. |
| Jun 2024 | 194[.]59[.]31[.]109 | "Sybir" variant introduces image file disguise -- binaries named aZr.png, bJL.png, OrI.png, POz.png to evade URL-based detection. |
| Late 2024 | 87[.]120[.]117[.]92 | Migration to Lycatel infrastructure. Basic variant. |
| Dec 2024+ | 94[.]156[.]177[.]109 | Enhanced noexec bypass using /proc/mounts. Added clean pre-deployment script. Added rm -rf $1 cleanup in dlr(). |
The "sybir" variant name is a linguistic breadcrumb. "Sybir" is the Polish/Ukrainian word for Siberia, placing the developer firmly in an Eastern European cultural context.
Infrastructure: The Neterra Connection
Four C2 download servers were extracted from the dropper scripts. At first glance they look like unrelated hosting providers across multiple countries. Look closer and a pattern emerges.
Tier 0 Backbone: Neterra Ltd (Sofia, Bulgaria) -- MNT-NETERRA
|
Tier 1 Transit: AS41745 (Fortis/HIP) AS399486 (Virtuo) Lycatel
| | |
Tier 2 C2: 94.156.177.109 194.59.31.109 87.120.117.92
(RU/NL) (FR/CA) (GB/BG)
Separate: NesterTelecom LLC -- 185.172.128.93 (RU, AS52008)
Three of the four C2 IPs share a single RIPE maintainer object: MNT-NETERRA. Neterra is a Bulgarian Tier 2 backbone provider that sells transit to hosting resellers across Eastern Europe. The operator appears to use a single provisioning relationship -- possibly one reseller account -- to acquire infrastructure across nominally different hosting brands in different countries. On paper it looks distributed. On the wire, it all goes through Sofia.
The Bulletproof Tell
The 94[.]156[.]177[.]0/24 subnet (Fortis Host, registered to Baykov Ilya Sergeevich in Moscow) contains multiple IPs with spoofed reverse DNS records pointing to github.com, microsoft.com, and lk.x5.ru. When a hosting provider's IP space features fake PTR records for Microsoft and GitHub, you are looking at bulletproof hosting infrastructure. These are networks where the provider either ignores abuse complaints or actively facilitates them.
C2 Status (as of March 11, 2026)
| IP | ASN | Provider | Country | Status |
|---|---|---|---|---|
94[.]156[.]177[.]109 | AS41745 | Fortis Host | RU/NL | LIVE (SSH only, HTTP offline) |
194[.]59[.]31[.]109 | AS399486 | Virtuo Networks | FR/CA | LIVE (445/3389/5357 -- Windows host) |
87[.]120[.]117[.]92 | -- | Lycatel | UK/BG | OFFLINE |
185[.]172[.]128[.]93 | AS52008 | NesterTelecom | RU | OFFLINE |
Two of four servers are still reachable. The primary C2 at 94[.]156[.]177[.]109 has its HTTP service offline but still responds on SSH -- possibly reconfigured or preparing for the next wave. The 194[.]59[.]31[.]109 host appears to be a Windows server (SMB, RDP, and WSD ports open), which is unusual for a Linux malware C2 but could serve as a staging or management node.
Persistence: The Triple Threat
RedTail does not rely on a single persistence mechanism. It deploys three, each operating at a different layer of the system.
Layer 1 -- systemd (boot persistence): A systemd service unit with WantedBy=multi-user.target ensures the malware starts on every boot. This is the most visible mechanism and the one most likely to be caught by configuration management tools.
Layer 2 -- PAM module (authentication persistence): The PAM backdoor embeds itself into the authentication stack. Even if you find and remove the systemd service, the attacker retains the ability to log in as any user with the backdoor password. This survives password changes, SSH key rotations, and most standard incident response procedures.
Layer 3 -- SSH authorized_keys (remote access persistence): The attacker's SSH public key is written to authorized_keys files, providing key-based access that does not depend on either the systemd service or the PAM module being intact.
Removing any one mechanism leaves the other two operational. A complete remediation requires addressing all three simultaneously, which means most automated cleanup scripts will fail.
Who Is Behind This?
Attribution Assessment
| Factor | Assessment | Confidence |
|---|---|---|
| Region | Eastern Europe / Russia | HIGH |
| Motivation | Financial (cryptojacking) | HIGH |
| Sophistication | Medium-High | HIGH |
| Group | Unattributed; possible Lazarus overlap per Akamai | LOW |
The evidence points to an Eastern European operator with moderate-to-high technical sophistication:
- Hosting choices concentrate on Russian providers (Fortis Host in Moscow, NesterTelecom) and Bulgarian backbone (Neterra)
- "Sybir" dropper name -- the Polish/Ukrainian word for Siberia -- places the developer in an Eastern European linguistic context
- Go language choice is consistent with the Eastern European cybercrime ecosystem's shift away from C/C++ toward Go for cross-platform malware
- Private mining pools indicate operational maturity -- the operator is sophisticated enough to run their own pool infrastructure rather than mining to public pools where wallet addresses could be tracked
Akamai's 2024 research noted similarities to Lazarus Group (DPRK) TTPs in the private mining pool operation. We found no direct evidence supporting or refuting this in our samples, and maintain this at LOW confidence. The operational pattern is more consistent with organized cybercrime than state-sponsored activity.
Campaign Timeline
| Date | Event |
|---|---|
| Mar 2023 | First VirusTotal submission of primary sample |
| Jan 2024 | RedTail first publicly documented by CSA (Log4j exploitation) |
| Apr 2024 | PAN-OS CVE-2024-3400 exploit integration (Akamai) |
| May 2024 | First Kaspersky detection of Multiverze variant |
| Jun 2024 | Dropper scripts deployed from 185[.]172[.]128[.]93 and 194[.]59[.]31[.]109 |
| Jun 2024 | "Sybir" variant introduces image file disguise (aZr.png) |
| Late 2024 | Infrastructure migration to Lycatel (87[.]120[.]117[.]92) |
| Dec 2024 | Primary C2 shifts to Fortis Host (94[.]156[.]177[.]109); clean script added |
| Feb 2025 | redtail.x86 sample collected |
| Aug 2025 | Last Kaspersky detection |
| Nov 2025 | Batch upload of 12 Multiverze-tagged variants |
| Dec 2025 | sshd masquerading sample captured (US origin) |
| Jan 2026 | UPX-packed variant captured |
| Mar 2026 | Current samples uploaded by "enthec" (France) |
This is a three-year campaign with periodic infrastructure rotations and incremental capability upgrades. The operator invests in maintaining and evolving the tooling rather than spinning up throwaway campaigns.
Detection
What to Hunt For
The most effective detections target behavioral indicators rather than static IOCs, because RedTail's dynamic configuration model means file hashes and network addresses rotate regularly.
On the filesystem:
- Hidden files named
.redtailin writable directories - Test artifacts:
.testfile,.testfile2in/tmp,/var/tmp,/dev/shm - Unknown systemd service units with
WantedBy=multi-user.target - Unauthorized PAM modules in
/lib/security/or/lib64/security/ - Unexpected entries in
~/.ssh/authorized_keysacross all user accounts - The
cleanscript (transient -- kills competing miners during deployment)
On the network:
- HTTP downloads of architecture-named files (
/x86_64,/i686,/aarch64,/arm7) from external IPs - HTTP downloads of PNG-named files (
/aZr.png,/bJL.png,/OrI.png,/POz.png) that are actually ELF binaries - Outbound SSH connections at high frequency from non-administrative hosts (worm behavior)
- SFTP transfers deploying binaries named
sshdto unusual directories - ChaCha20-Poly1305 encrypted channels to non-standard endpoints
On the host:
- Processes named
sshdrunning from unexpected paths (not/usr/sbin/sshd) - Anomalous CPU or GPU utilization patterns, particularly on servers not expected to perform compute-intensive work
- Go Build ID
TegskTGfBzL5ZXVeATJZ/Kg4gGwZNHviZINPIVp6Kin ELF binaries
YARA Rules
Five YARA rules are provided targeting different components of the malware. The most reliable is RedTail_Multiverze_Config_Schema, which matches on the mining configuration struct tags that are unique to this family:
rule RedTail_Multiverze_Config_Schema
{
meta:
description = "Detects RedTail/Multiverze mining config schema in Go binary"
author = "GHOST - Breakglass Intelligence"
date = "2026-03-10"
severity = "HIGH"
strings:
$xmrig_pool = "xmrig_poolAddr" ascii
$xmrig_user = "xmrig_poolUser" ascii
$xmrig_pass = "xmrig_poolPass" ascii
$xmrig_algo = "xmrig_algo" ascii
$xmrig_en = "xmrig_enabled" ascii
$nbminer_pool = "nbminer_poolAddr" ascii
$nbminer_user = "nbminer_poolUser" ascii
$nbminer_en = "nbminer_enabled" ascii
$nbminer_algo = "nbminer_algo" ascii
$download_url = "downloadURL" ascii
$attack_queue = "attackqueue" ascii
condition:
uint32(0) == 0x464C457F and
(
(3 of ($xmrig_*) and 2 of ($nbminer_*)) or
(4 of ($xmrig_*) and $download_url)
)
}
A second rule targets the SSH worm component by matching on Go struct metadata:
rule RedTail_SSH_Worm_Component
{
meta:
description = "Detects RedTail SSH worm component via Go struct metadata"
author = "GHOST - Breakglass Intelligence"
date = "2026-03-10"
severity = "HIGH"
strings:
$cred_struct = "privatekey string; username string; ip string; password string" ascii
$attack_q = "attackqueue" ascii
$main_cred = "main.credential" ascii
$systemd = "WantedBy=multi-user.target" ascii
$pam_handle = "pam._Ctype_struct_pam_handle" ascii
condition:
uint32(0) == 0x464C457F and
(
($cred_struct and $attack_q) or
($main_cred and $systemd) or
($pam_handle and any of ($attack_q, $main_cred))
)
}
Suricata Rules
Twelve Suricata/Snort rules are available, keyed on C2 IP addresses, payload download URIs, and SSH brute-force behavioral patterns. The highest-value rule for organizations that cannot deploy all twelve:
alert http $HOME_NET any -> [94.156.177.109,87.120.117.92,185.172.128.93,194.59.31.109] any (
msg:"BREAKGLASS RedTail C2 Download Server Contact";
flow:to_server,established;
classtype:trojan-activity;
sid:2026031001; rev:1;
metadata:author GHOST,severity HIGH,family RedTail;
)
MITRE ATT&CK Mapping
| Tactic | Technique | ID | How RedTail Uses It |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Log4j, PAN-OS CVE-2024-3400, ThinkPHP |
| Initial Access | Valid Accounts | T1078 | SSH brute-force with credential dictionary |
| Execution | Command and Scripting Interpreter: Bash | T1059.004 | Dropper scripts with wget/curl/dev-tcp |
| Persistence | Create or Modify System Process: Systemd | T1543.002 | WantedBy=multi-user.target service unit |
| Persistence | Account Manipulation: SSH Authorized Keys | T1098.004 | Key-based persistent access |
| Persistence | Modify Authentication Process: PAM | T1556.003 | Full PAM module backdoor |
| Defense Evasion | Masquerading | T1036.005 | Process named sshd |
| Defense Evasion | Hidden Files and Directories | T1564.001 | .redtail filename |
| Defense Evasion | Software Packing | T1027.002 | UPX packing in later variants |
| Defense Evasion | File Deletion | T1070.004 | clean script removes competitor malware |
| Credential Access | Brute Force: Password Spraying | T1110.003 | SSH dictionary attack |
| Discovery | System Information Discovery | T1082 | uname -mp for architecture detection |
| Discovery | File and Directory Discovery | T1083 | find + /proc/mounts for writable exec dirs |
| Lateral Movement | Remote Services: SSH | T1021.004 | SSH worm propagation |
| Lateral Movement | Lateral Tool Transfer | T1570 | SFTP binary deployment |
| Collection | Data from Local System | T1005 | SSH key harvesting (known_hosts, id_rsa) |
| Command and Control | Encrypted Channel | T1573 | ChaCha20-Poly1305 C2 communications |
| Command and Control | Application Layer Protocol: HTTP | T1071.001 | HTTP/2 with TLS |
| Impact | Resource Hijacking | T1496 | XMRig (CPU) + NBminer (GPU) mining |
Indicators of Compromise
C2 / Download Servers
| IP | ASN | Provider | Country | Status |
|---|---|---|---|---|
94[.]156[.]177[.]109 | AS41745 | Fortis Host | RU/NL | ACTIVE |
194[.]59[.]31[.]109 | AS399486 | Virtuo Networks | FR/CA | ACTIVE |
87[.]120[.]117[.]92 | -- | Lycatel | UK/BG | Offline |
185[.]172[.]128[.]93 | AS52008 | NesterTelecom | RU | Offline |
Download URLs
hxxp://94[.]156[.]177[.]109/x86_64
hxxp://94[.]156[.]177[.]109/i686
hxxp://94[.]156[.]177[.]109/aarch64
hxxp://94[.]156[.]177[.]109/arm7
hxxp://94[.]156[.]177[.]109/clean
hxxp://194[.]59[.]31[.]109/aZr.png (x86_64 disguised as image)
hxxp://194[.]59[.]31[.]109/bJL.png (i686 disguised as image)
hxxp://194[.]59[.]31[.]109/OrI.png (aarch64 disguised as image)
hxxp://194[.]59[.]31[.]109/POz.png (arm7 disguised as image)
File Indicators -- ELF Binaries
| SHA256 | Size | Description |
|---|---|---|
6168f5d053f4c3d413327947c37b927a759b316d68ac341908695879edcda246 | 2.0 MB | Truncated primary sample |
db7fc2fef4f644d06e378b426e9a5a5c5ac7c29fb0d09ba56903fed1dbe6843b | 17.6 MB | Full binary with Go type metadata |
a2344aa530706d76200c8c4fff2ba9b37791bee1d587ffe13732d21cd42524ea | 17.3 MB | sshd masquerading variant |
9875fb1a96f06fb4ffde6c24cbaaa15eacd9df8652756e25e6e13f125f2019ec | 4.7 MB | redtail.x86 |
1dab38eaba06e088ad1eb6d5e7b541c84d1ef8b198d961eb61eb19cd62dcd068 | 1.8 MB | UPX-packed variant |
File Indicators -- Dropper Scripts
| SHA256 | C2 IP | First Seen |
|---|---|---|
de96a56c5508bb69c20f171a141263ebed92823eb3249dccb9db1ff350b37b31 | 94[.]156[.]177[.]109 | 2024-12-05 |
b7004d1b9da9d453742088a02b0aba30aad672b475f37ea20cda502c7e5bdebd | 94[.]156[.]177[.]109 | -- |
d5b55117f713a1a265dcab0dc68ceb4a607069f3831bd2594aa1330d5d0eac81 | 87[.]120[.]117[.]92 | -- |
2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb | 185[.]172[.]128[.]93 | 2024-06-15 |
b33b415cbee7d64d4cbedda4c61d97437393b6095d53f597b5ee247b16591b6f | 194[.]59[.]31[.]109 | 2024-06-08 |
ed8fe6eb98c8a487c631dee11ddbe11c322e446666280f7b97844d259fdb10f5 | 185[.]172[.]128[.]93 | 2024-06-08 |
Additional File Hashes (Primary Sample)
SHA256: 6168f5d053f4c3d413327947c37b927a759b316d68ac341908695879edcda246
SHA1: 9a0c3a89bedb0d4c6c5db54350f19cc8dce00782
MD5: 2bea413875c5516ab9969d7ea3e370fd
TLSH: T12EA5F757E49590E4C0EEE174C726A213BEA13499473837E36FA187F11B26FE4A6BC314
Behavioral Indicators
# Filesystem artifacts
.redtail Hidden binary in writable directory
.testfile / .testfile2 Noexec bypass test artifacts
clean Competitor-killing script (transient)
# Process indicators
sshd (from non-standard path) Process masquerading
WantedBy=multi-user.target systemd persistence
PAM module in /lib/security/ Authentication backdoor
# Network indicators
HTTP GET /x86_64, /i686, etc. Architecture payload download
SSH brute-force (rapid auth failures) Worm propagation
SFTP binary transfer as "sshd" Lateral tool transfer
ChaCha20-Poly1305 encrypted channel C2 communications
# Go Build ID
TegskTGfBzL5ZXVeATJZ/Kg4gGwZNHviZINPIVp6K/-aw3x4amOW3feyTomlq7/WXkOJPhAhVPtgkpGtlhH
What Defenders Should Do Right Now
Immediate (24-48 hours):
- Block all four C2 IPs at perimeter firewalls and IDS/IPS
- Search for
.redtailfiles across all Linux systems (find / -name ".redtail" 2>/dev/null) - Audit systemd services for unknown units (
systemctl list-unit-files --state=enabled) - Review PAM configuration for unauthorized modules in
/etc/pam.d/and/lib/security/ - Check SSH
authorized_keysfiles for unauthorized entries across all accounts - Deploy the YARA and Suricata rules from this report
Short-term (1-2 weeks):
- Parse
auth.log/securelogs for brute-force patterns against SSH - Check for anomalous CPU/GPU utilization across server fleet
- Implement SSH key rotation and disable password authentication where feasible
- Consider blocking Neterra AS41745 transit at network perimeter if not business-critical
- Review
/proc/mountsfor volumes that should benoexecbut are not
Medium-term (1-3 months):
- Implement PAM module integrity monitoring (hash all
.sofiles in/lib/security/and alert on changes) - Deploy certificate-based SSH authentication to replace password-based auth
- Apply
noexecto all non-essential mount points - Conduct full incident response on any system where IOCs are found -- the PAM backdoor means re-imaging is the safest remediation
Analytical Limitations
Five factors constrain our analysis:
- The primary sample is truncated at 2MB of a likely 30MB binary -- 28MB of potential hardcoded configurations, embedded payloads, and overlay data remain unanalyzed
- The full binary contains rich Go type metadata but actual runtime config values are encrypted or packed
- No sandbox behavioral data is available because the truncated sample will not execute
- All C2 HTTP servers are offline -- we could not capture a live config push to extract pool addresses or wallet IDs
- No wallet address was recovered anywhere in the analysis, consistent with the private mining pool model but preventing financial tracking of the operation
References
- Akamai Security Research (2024): RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit
- SANS ISC (2024): Analysis of redtail File Uploads to ICS Honeypot
- SANS ISC (2024): Examining Redtail: Analyzing a Sophisticated Cryptomining Malware
- Malpedia: RedTail
- MalwareBazaar: Sample 6168f5d0...
- VirusTotal: File Analysis
Published by Breakglass Intelligence. Investigation conducted 2026-03-11. 1 binary. 4 C2 servers. 3 persistence mechanisms. A three-year campaign that mines your CPU, backdoors your PAM, and worms through your SSH. Classification: TLP:CLEAR