ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 212.127.91.32:80.
Database Entry
| IOC ID: | 1837417 |
|---|---|
| IOC: | 212.127.91.32:80 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | RedTail |
| Confidence Level : | Confidence level is moderate (50%) |
| Is compromised? : | False |
| ASN: | AS35179 AbkhazMedia-As |
| Country: |  GE |
| First seen: | 2026-06-25 15:18:09 UTC |
| Last seen: | never |
| UUID: | 5c7cdf35-70a7-11f1-97fa-42010aa4000a |
| Reporter |  Speculus |
| Reward | 5 credits from ThreatFox |
| Tags: | apache-rce apache.selfrep CVE-2021-41773 libredtail-http |
| Reference: | https://speculus.co/search?ip=212.127.91.32 |
Speculus
Speculus Honeynet Telemetry:Active RedTail (Libredtail) botnet node launching Apache HTTP Server Path Traversal and RCE exploitation (CVE-2021-41773).
The scanner utilizes URL-encoded directory traversal (.%2e) via /cgi-bin/ to target /bin/sh and drop its payload execution string.
Campaign Variation Note:
Unlike the PHP-CGI variants, this request passes the unique 'apache.selfrep' argument string to the secondary script hosted on the payload delivery infrastructure (217.60.195.113).
Client Signatures Captured:
- User-Agent: libredtail-http
- JA4H Fingerprint (POST Profile): po11nn060000_31e9cb71ef1b_000000000000_000000000000
Local honeypot identifiers redacted. Event timestamp: 2026-06-25T14:56:26Z.