SigmaHQ · marcopedrinazzi · Apr 30, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/rules-emerging-threats/2026/Malware/RedTail-Cryptominer/web_redtail_useragent.yml b/rules-emerging-threats/2026/Malware/RedTail-Cryptominer/web_redtail_useragent.yml
@@ -0,0 +1,26 @@
+title: RedTail Cryptominer User-Agent
+id: 6fd25dd1-527b-47c8-baa4-2a0e77279c6f
+status: experimental
+description: |
+    Detects inbound web requests using the "libredtail-http" User-Agent.
+    libredtail-http is a unique User-Agent string associated with a campaign of automated, malicious scans and attacks targeting exposed container environments and web applications,notably identified in activities stemming from late 2024 through early 2026.
+    It is primarily used by the RedTail cryptominer malware to identify and exploit vulnerabilities for deploying cryptocurrency miners.
+references:
+    - https://isc.sans.edu/diary/Danger+of+Libredtail+Guest+Diary/32936/
+    - https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/
+    - https://www.cloudsek.com/blog/honey-for-hackers-a-study-of-attacks-targeting-the-recent-cve-2026-21962-and-other-critical-weblogic-vulnerabilities-on-a-high-interactive-oracle-honeypot
+author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
+date: 2026-04-30
+tags:
+    - attack.initial-access
+    - attack.t1190
+    - detection.emerging-threats
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-user-agent: 'libredtail-http'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium