Attack Observation: RedTail Cryptominer Delivered over SSH
A SSH-2.0-Go actor at 130.12.180.51 brute forced HoneyPi, then ran a two-stage shell loader, implanted an authorized_keys entry for persistence, and dropped six architecture-specific RedTail payloads over SFTP. Same bundle seen from a second IP two weeks earlier points to shared tooling.