Akamai observed RedTail cryptomining operators adding Palo Alto PAN-OS CVE-2024-3400 exploitation to a broader web-exploit arsenal targeting IoT devices, web applications, SSL-VPNs, and security products. The infection chain used command execution to download a bash script that selected a compatible binary by processor architecture and deployed a UPX-packed XMRig-based miner. The new RedTail variant embeds encrypted mining configuration, uses private mining pools or pool proxies, and adds anti-analysis and persistence behavior such as forking, killing GDB, and installing a cron job. Akamai notes that use of private mining pools mirrors tactics associated with Lazarus, but frames this only as attribution speculation rather than evidence of Lazarus responsibility.