malicious User-Agent string associated with the RedTail cryptominer malware. 
Based on threat intelligence reports from November 2025, this identifier is used in coordinated, automated attacks targeting exposed Docker APIs (port 2375/tcp) and various web applications to deploy cryptocurrency miners. 
Key Details About libredtail-http

    Purpose: It acts as a signature for a botnet or automated scanner searching for vulnerable infrastructure.
    Attack Vector: The attackers use this User-Agent to scan for open Docker APIs and, upon finding them, deploy redtail.sh, a script that downloads and installs cryptomining payloads (often targeting Monero).
    Targets: The malware primarily targets unsecured Docker daemons, but has historically targeted PHP vulnerabilities and enterprise products (e.g., PAN-OS, Ivanti).
    Behavior: The malware is designed to be persistent, creating cron jobs, and often includes a "clean" function to remove competing miners to maximize CPU usage for itself. 

Mitigation and Security Advice
Security researchers recommend treating any traffic showing the libredtail-http User-Agent as malicious. 

    Block the User-Agent: Add a rule to your Web Application Firewall (WAF) or web server config (e.g., Nginx, Apache) to return a 403 Forbidden for this specific User-Agent.
    Secure Docker APIs: Never expose the Docker daemon API (port 2375) directly to the internet without proper authentication (TLS) and firewall restrictions.
    Monitor Logs: Audit logs for unexpected curl or wget commands, particularly those downloading files from suspicious IP addresses like 178.16.55.224.