Enrichment Appendix: 130.12.180.51 RedTail Payload Attribution

OSINT enrichment for the RedTail SSH campaign: per-indicator attribution of six hashes (four RedTail ELF variants plus loader/installer scripts), VirusTotal detection context, and a triage recommendation. Companion appendix to the third attack observation.

July 8, 2026 · 6 min · Joshua Burnett

Attack Observation: RedTail Cryptominer Delivered over SSH

A SSH-2.0-Go actor at 130.12.180.51 brute forced HoneyPi, then ran a two-stage shell loader, implanted an authorized_keys entry for persistence, and dropped six architecture-specific RedTail payloads over SFTP. Same bundle seen from a second IP two weeks earlier points to shared tooling.

July 8, 2026 · 6 min · Joshua Burnett