.png)
ACCORDING to SANS Internet Storm Center, a guest diary by James Roberts recounts observations of Libredtail in HTTP-based attacks alongside more traditional SSH logins and SYN scanning, with the most aggressive actor running through multiple commands via cve_2024_4577.selfrep to install the Redtail cryptomining malware.
The diary notes that 113 different IP addresses performed libertail-http activity, originating from Germany, Great Britain, and India, with two addresses (82.165.66[.]87 and 103.40.61[.]98) using the same admin/admin credentials and likely representing bots or the same attacker under different IPs.
It documents a sequence of four HTTP POST actions beginning with directory traversal attempts and the use of base64-encoded payloads, followed by probes of PHP installation paths and the exploitation of CVE-2024-4577 tied to Redtail malware. The piece also highlights that Redtail can install versions for x86_64, i686, aarch64 and arm7, and that these campaigns began to surface in mid-2024 alongside libredtail-http. Published 29 April 2026 and last updated 30 April 2026 00:07:03 UTC.