The threat actors behind RedTail are likely operating their own mining pools or pool proxies instead of using public ones, aiming for greater control over mining outcomes despite the increased operational and financial costs of maintaining a private server. Akamai researchers noted that the hackers are using the newer RandomX algorithm for better efficiency and modifying the operating system configuration to use larger memory blocks, known as hugepages, to boost performance.

The use of private mining pools is a tactic reminiscent of North Korea's Lazarus Group, although Akamai has not directly attributed RedTail to any specific group. North Korea is known for its for-profit hacking operations, which include extensive cryptocurrency theft and other methods to evade sanctions (see: US FBI Busts North Korean IT Worker Employment Scams).

Initially spotted earlier this year, the RedTail malware has evolved to incorporate anti-research techniques, making it more difficult for security researchers to analyze and mitigate the threat. Akamai reports that the malware's operators quickly exploited the PAN-OS vulnerability, tracked as CVE-2024-3400, which allows attackers to create an arbitrary file enabling command execution with root user privileges (see: Likely State Hackers Exploiting Palo Alto Firewall Zero-Day).

Other notable targets include TP-Link routers, the China-origin content management system ThinkPHP, and Ivanti Connect Secure. Security researchers warn that advanced hackers, including state-sponsored threat actors, are increasingly focusing on edge devices due to their inconsistent endpoint detection and the proprietary software that complicates forensic analysis.