RedTail is a known malware family primarily associated with exploiting PHP vulnerabilities and specific enterprise products like PAN-OS and Ivanti. However, recent honeypot data from November 2025 reveals RedTail targeting exposed Docker APIs on port 2375/tcp, which is typically used for unsecured Docker daemon communication. The attacker attempts to connect to Docker hosts with open APIs to deploy cryptomining payloads, leveraging container environments to mine cryptocurrency illicitly. The malware uses a unique User-Agent string "libredtail-http" and communicates with a command and control server at IP 178.16.55.224 (AS214943). This activity was not previously documented in major threat intelligence sources, indicating either a gap in reporting or a new operational tactic by RedTail. Exploiting exposed Docker APIs is particularly effective because these APIs often allow full control over container lifecycle and host resources without authentication if left unsecured. The cryptominer payload can degrade system performance, increase operational costs, and potentially serve as a foothold for further compromise. The lack of vendor advisories on this vector suggests defenders may be unaware of this emerging threat. The discovery underscores the critical need for securing Docker endpoints and monitoring for anomalous container-related activity. This threat highlights a shift in attacker focus towards container environments, reflecting the growing adoption of containerization in enterprise IT.

For European organizations, the impact of RedTail targeting exposed Docker APIs can be significant. Organizations relying on containerized applications and Docker infrastructure may experience unauthorized cryptomining activity, leading to increased CPU and GPU usage, degraded application performance, and higher energy costs. This can disrupt business operations, especially in sectors with critical uptime requirements such as finance, healthcare, and manufacturing. Additionally, compromised Docker hosts can serve as pivot points for lateral movement within networks, increasing the risk of data breaches or ransomware deployment. The stealthy nature of cryptominers means infections may go unnoticed for extended periods, amplifying damage. Organizations with cloud-native deployments or hybrid environments that expose Docker APIs without proper authentication are particularly vulnerable. The threat also raises concerns about compliance with European data protection regulations if the compromise leads to data leakage or service interruptions. Overall, the operational, financial, and reputational risks are considerable, especially for entities with high container usage and insufficient Docker security controls.

1. Immediately audit all Docker hosts to identify any exposed Docker APIs, especially on port 2375/tcp, and restrict access using firewalls or network segmentation. 2. Enable Docker daemon authentication and TLS encryption to prevent unauthorized API access. 3. Implement strict access controls and role-based permissions for Docker management interfaces. 4. Deploy runtime security tools that monitor container behavior and detect anomalous activities such as unexpected cryptomining processes or unusual network connections. 5. Regularly update and patch Docker and container orchestration platforms to mitigate known vulnerabilities. 6. Conduct threat hunting exercises focused on detecting the "libredtail-http" User-Agent and communication with the identified C2 IP (178.16.55.224). 7. Educate DevOps and security teams about the risks of exposing Docker APIs and enforce secure DevOps practices. 8. Use network intrusion detection systems (NIDS) to monitor for suspicious traffic patterns targeting Docker endpoints. 9. Integrate container security solutions that provide image scanning, vulnerability management, and runtime protection. 10. Establish incident response plans specifically addressing container compromise scenarios.