RedTail Cryptominer User-Agent
Detects inbound web requests using the "libredtail-http" User-Agent. libredtail-http is a unique User-Agent string associated with a campaign of automated, malicious scans and attacks targeting exposed container environments and web applications,notably identified in activities stemming from late 2024 through early 2026. It is primarily used by the RedTail cryptominer malware to identify and exploit vulnerabilities for deploying cryptocurrency miners.
Sigma rule (View on GitHub)
1title: RedTail Cryptominer User-Agent
2id: 6fd25dd1-527b-47c8-baa4-2a0e77279c6f
3status: experimental
4description: |
5 Detects inbound web requests using the "libredtail-http" User-Agent.
6 libredtail-http is a unique User-Agent string associated with a campaign of automated, malicious scans and attacks targeting exposed container environments and web applications,notably identified in activities stemming from late 2024 through early 2026.
7 It is primarily used by the RedTail cryptominer malware to identify and exploit vulnerabilities for deploying cryptocurrency miners.
8references:
9 - https://isc.sans.edu/diary/Danger+of+Libredtail+Guest+Diary/32936/
10 - https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/
11 - https://www.cloudsek.com/blog/honey-for-hackers-a-study-of-attacks-targeting-the-recent-cve-2026-21962-and-other-critical-weblogic-vulnerabilities-on-a-high-interactive-oracle-honeypot
12author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
13date: 2026-04-30
14tags:
15 - attack.initial-access
16 - attack.t1190
17 - detection.emerging-threats
18logsource:
19 category: webserver
20detection:
21 selection:
22 cs-user-agent: 'libredtail-http'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- Suspicious Child Process of SolarWinds WebHelpDesk
- Linux Suspicious Child Process from Node.js - React2Shell
- Windows Suspicious Child Process from Node.js - React2Shell
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt