RedTail Cryptominer User-Agent

Detects inbound web requests using the "libredtail-http" User-Agent. libredtail-http is a unique User-Agent string associated with a campaign of automated, malicious scans and attacks targeting exposed container environments and web applications,notably identified in activities stemming from late 2024 through early 2026. It is primarily used by the RedTail cryptominer malware to identify and exploit vulnerabilities for deploying cryptocurrency miners.

Sigma rule (View on GitHub)

 1title: RedTail Cryptominer User-Agent
 2id: 6fd25dd1-527b-47c8-baa4-2a0e77279c6f
 3status: experimental
 4description: |
 5    Detects inbound web requests using the "libredtail-http" User-Agent.
 6    libredtail-http is a unique User-Agent string associated with a campaign of automated, malicious scans and attacks targeting exposed container environments and web applications,notably identified in activities stemming from late 2024 through early 2026.
 7    It is primarily used by the RedTail cryptominer malware to identify and exploit vulnerabilities for deploying cryptocurrency miners.    
 8references:
 9    - https://isc.sans.edu/diary/Danger+of+Libredtail+Guest+Diary/32936/
10    - https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/
11    - https://www.cloudsek.com/blog/honey-for-hackers-a-study-of-attacks-targeting-the-recent-cve-2026-21962-and-other-critical-weblogic-vulnerabilities-on-a-high-interactive-oracle-honeypot
12author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
13date: 2026-04-30
14tags:
15    - attack.initial-access
16    - attack.t1190
17    - detection.emerging-threats
18logsource:
19    category: webserver
20detection:
21    selection:
22        cs-user-agent: 'libredtail-http'
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

Related rules

to-top