HoneyLabs Mapped An Apache CVE Botnet By Its Back-End. Our Index Already Had The Family Name Waiting: Redtail. The Fusion Is The Receipt.

This morning HoneyLabs published a back-end mapping of a botnet that has been quietly earning rent for almost five years. They never named the malware family. They never had to. Their methodology was the point. They pulled next-stage URLs out of dropper binaries, clustered the delivering nodes by JA4 and JA4H and HASSH fingerprints, and walked the chain back from the noise at the perimeter to the eight staging servers that actually run the campaign. The data shape is one thousand and one source IPs across three hundred and six autonomous systems in sixty-four countries, steady at seventy to one hundred and twenty-five distinct delivering IPs per week, with a worm component they tagged apache.selfrep that turns every compromised host into the next delivery node.

We read it. We ran it against our index. The fusion is the receipt.

What HoneyLabs Mapped

HoneyLabs's article describes the campaign as an Apache path traversal worm exploiting CVE-2021-41773, the 2021 vulnerability that still earns more rent than most freshly-disclosed bugs. Their dropper-tracing methodology pulled the next-stage URL out of every captured payload and pivoted backward to the staging infrastructure. The eight staging servers they identified by name are 31.57.216.121, 46.151.182.82, 178.16.55.224, 125.135.169.171, 14.46.136.77, and three others in the same neighborhood. The first two share fifty-one delivering IPs. The next pair share forty-five. The last two are on Korea Telecom AS4766 and share thirty-eight IPs between them. The client-side fingerprint that ties the cluster together is a single JA4 value, t13i170900_5b57614c22b0_78e6aca7449b, that covers six hundred and fifty-five IPs uniquely.

HoneyLabs did the hard part. They mapped the back end. They did not give the malware a family name because their telemetry did not require one for the methodology to work. The fingerprints and the staging infrastructure were the deliverable.

What Our Index Had Waiting

Five minutes after reading their article we ran their five named staging IPs against our iocs and blocked and oz_decisions indexes. Every one of them was already there. The most-cited of the five, 31.57.216.121, was tagged by URLhaus in early March 2026 with a family list that includes CoinMiner, geofenced, redtail, sh, ua-wget, and USA. The URL path that URLhaus has been tracking on that IP for months is /sh. SSLBL had the same IP tagged as botnet command-and-control infrastructure under the Remcos and Hook family names. Spamhaus DROP had the wider network it sits on listed as a hijacked network range.

The pattern repeats across the other four staging IPs. Multi-feed presence. Multi-family tagging. Korea Telecom AS4766 attribution on the last two, which our autonomous decisioning loop had been scoring for months without ever naming the upstream campaign.

The naming gap was the gap. HoneyLabs had the operator infrastructure. We had the family name on the operator infrastructure. Neither half is the whole picture without the other.

The Fusion

The apache.selfrep worm that HoneyLabs mapped is redtail miner self-propagating via Apache [CVE-2021-41773](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2021-41773). The /sh URL path that URLhaus has been tracking for almost three months is the self-replicating shell stage that HoneyLabs's back-end pivot identified. The CoinMiner family tag is the monetization layer. The Remcos and Hook botnet command-and-control tags layered on the same infrastructure suggest the operator runs more than one revenue stream off the same compromised box. The Korea Telecom attribution on the two last staging IPs fits the redtail family's known regional distribution pattern. The whole picture is a five-year-old Apache path traversal CVE being used in 2026 as a high-yield distribution vector for a CoinMiner family that also drops Remcos and Hook as opportunistic secondary payloads on the same compromised hosts.

CVE-2021-41773 itself is the boring half of this story. The bug is from 2021. There is a patch. There has been a patch for almost five years. Our index has four thousand two hundred and fifty-one mentions of it across IOCs, advisories, blocked-event records, and downstream commentary. The CVE is not unknown. The patch is not unknown. The botnet is not unknown to anyone whose feed pipeline pulls URLhaus or SSLBL. What was unknown, until HoneyLabs published their mapping this morning, was that the eight staging servers behind a cluster of one thousand IPs across sixty-four countries are running a worm payload tagged apache.selfrep that ties the entire delivering population to a single operator-controlled back end.

The JA4 Fingerprint Is The Net-New Half

The piece of the fusion that is genuinely new to our corpus is the JA4 fingerprint. The exact value, t13i170900_5b57614c22b0_78e6aca7449b, returned zero hits across every index in our platform. We have JA4 in our oz_decisions pipeline and we have client-fingerprint clustering in our adversary infrastructure work, but this specific fingerprint had not landed in our corpus before HoneyLabs published it. The JA4H value, po11nn0700_c5a94e7539c9, was also zero hits. The HASSH value, 19532158b559096b89b1a5f7d17175b2, was zero hits.

This is the cleanest possible case for a primary-research feed-back loop. HoneyLabs published three fingerprints with high specificity to a single operator cluster. We can index those three fingerprints today and our autonomous decisioning loop will start scoring future TLS handshakes and SSH attempts that match them against the redtail-on-Apache-CVE-2021-41773 cluster from this moment forward. Our index gets a new operator signature. HoneyLabs's research gets propagated into a 24.5-million-document searchable corpus with daily growth. Both halves compound.

The Methodology Lesson

This is what cross-correlation looks like when both researchers do their half right. HoneyLabs did back-end mapping from sample to infrastructure. We did corpus correlation from infrastructure to family name. Neither half identifies the campaign in full. Together they do.

The signature move on our side has been the same for two years. Bloom-filter novelty check on inbound IOCs. Meilisearch cross-index correlation across forty-four indexes and twenty-four and a half million documents. Multi-source feed corroboration as the confidence axis. When an external researcher publishes a mapping like HoneyLabs's, the move takes five minutes. Pull the named IPs. Query them across iocs, blocked, and oz_decisions. Pull the fingerprint values. Confirm whether they are present or net-new. Read the family tags on the multi-feed hits. State what the campaign is.

The methodology generalizes. Any back-end mapping published with named staging IPs and client fingerprints can be fused against any sufficiently large IOC corpus in minutes. The corpus does not have to be ours. The methodology does not have to be HoneyLabs's. The receipt is the fusion, and the fusion is the receipt.

Boring CVE, Active Rent

CVE-2021-41773 is the most important detail in this story that nobody is going to lead with. The bug is older than the iPhone 13. It has been patched in every supported Apache version since October 2021. Cloud workload protection platforms have signatures for it. Web application firewalls block the obvious payloads by default. The CVE is in CISA's KEV catalog and has been since the catalog existed. And it is running an active worm in 2026 with one thousand delivering IPs across sixty-four countries earning steady CoinMiner rent on behalf of a single operator cluster that drops Remcos and Hook on the side.

The CVE is not the failure. The patch existed. The signature existed. The KEV listing existed. The failure is the population of internet-facing Apache boxes that have not been patched in five years and that nobody is auditing because the CVE is "old." Old CVEs in the KEV catalog with active worms attached are the part of the threat landscape that does not generate press releases and that earns the most rent. The operator behind the redtail cluster understands this. The operator's economics are obvious in the data shape. Seventy to one hundred and twenty-five distinct delivering IPs per week, sustained across years, against a vulnerability the operator did not have to discover and did not have to weaponize. The operator just had to maintain the staging infrastructure and let the worm propagate. Low overhead. High yield. Five years and counting.

The Week's Adjacent Reads

This is the third supply-chain piece we have published today. The first was the CISA-numbered-TanStack post at oh-eight-seventeen this morning, which traced the eighteen-day arc from our April 29 Mini-Shai-Hulud indexing receipt to today's federal-mandate classification of CVE-2026-45321 and CVE-2026-48027. The second was the Malware-Slop post at oh-eight-nineteen, which named the first AI-tool-working-directory exfiltration receipt and walked the predictable ninety-day follow-on wave against Cursor and Copilot and Code Interpreter and Replit Agent. This third post is the back-end-mapping receipt against the boring botnet that has been running underneath all of the AI-era headline noise the entire time.

Two adjacent reads from the broader ecosystem this week are worth linking. Gabor Koos published a five-step npm package evaluation methodology this morning at gaborkoos.com that codifies the provenance, install-script, and maintainer-responsiveness checks that have become table stakes after the TanStack postmortem. Tom's Hardware reported on an unnamed corporation that spent five hundred million dollars on Claude in a single month after failing to put usage limits on employee licenses. Both pieces are part of the same broader frame. The npm trust model and the corporate AI governance model are both running without guardrails, and the operator population on both sides is iterating against the gap.

What We Are Indexing Next

The JA4, JA4H, and HASSH fingerprints from HoneyLabs's mapping go into our iocs index this week with the source tag tied back to the article. The five named staging IPs get re-tagged with the apache.selfrep campaign attribution and the CVE-2021-41773 vector annotation, layered on top of their existing URLhaus and SSLBL family tags. The methodology gets logged as a pattern entry, which makes it the forty-something pattern we have catalogued for back-end-mapping-from-published-research.

The receipt is one IP we had since March, one URL path we had been blocking since March, one family name we had on the family tag since March, and one back-end mapping HoneyLabs published this morning that ties the four together. Five minutes of correlation work. Three fingerprints added. One operator cluster named with full confidence at the ninety-five percent ceiling we hold against perfection claims. Boring CVE. Active rent. Two researchers, one campaign, one receipt.

The worm keeps propagating. The patch keeps existing. The audit habit is the gap.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com