🚨 FIRST PUBLIC EVIDENCE: RedTail Cryptominer Targets Docker APIs

So my honeypot just caught something interesting: RedTail malware hitting exposed Docker APIs on port 2375/tcp. For context, RedTail is typically known for exploiting PHP vulnerabilities, PAN-OS, and Ivanti, but not a single vendor mentions Docker in their threat reports. I did a pretty extensive research dive across: Threat intel reports (Akamai, Forescout, Trend Micro, Kaspersky) SANS ISC, VirusTotal, Malpedia GitHub repos and academic papers Various community discussions What I confirmed: C2 IP: 178[.]16[.]55[.]224 (AS214943) User-Agent: “libredtail-http” (consistent with RedTail) Absolutely zero public documentation of RedTail targeting Docker Two theories: This is a blind spot in threat intelligence reporting We’re seeing a new tactical evolution of RedTail (as of Nov 2025) Has anyone else seen similar activity? submitted by /u/mario_candela [link] [comments]Technical Information Security Content & DiscussionRead More