RedLine
RedLine Stealer is a customizable information-stealing trojan and infostealer, written in .NET/C#, first identified in 2020. It is detected by ESET as MSIL/Spy.RedLine and MSIL/Spy.Agent. The malware is designed to collect passwords, cookies, credit card data, location and other system information, and browser data. Reported targeting includes credentials and data from browsers such as Google Chrome and Mozilla Firefox, as well as applications and services including Discord, FileZilla, Steam, Telegram, and VPN clients such as OpenVPN and ProtonVPN. The malware can also search for files, upload them to a remote server, download additional files, and execute them, and reporting notes it can be used to deliver additional malware including ransomware, RATs, trojans, miners, and other payloads.
RedLine appears repeatedly in commodity cybercrime and infostealer ecosystems. It has been observed as a payload delivered by other malware and loader operations including StealC-linked activity, Amadey, and multi-stage cracked-software infection chains. It is also referenced in broader credential-theft and traffic-team ecosystems, where stolen logs are monetized through criminal markets and Telegram channels. Reporting cited in the content states that LAPSUS$ acquired and used the RedLine password stealer in its operations.
Observed delivery vectors in the content include phishing campaigns, fraudulent websites, malicious applications, cracked or pirated software lures, SEO abuse, and Discord messages from compromised accounts carrying password-protected ZIP archives. One analyzed infection chain showed RedLine abusing AppLaunch.exe from the .NET Framework directory and using configuration pointing to net.tcp://45.15.156.187:23929/, with the botnet identified as "LogsDiller Cloud (Telegram: @logsdillabot)." Another mention lists a RedLine C2 as hrabrlonian[.]xyz:81 / 45.130.151[.]133.
Law-enforcement reporting in the content states that in October 2024 international authorities announced the takedown of the RedLine and META infostealers after seizing domains, servers, and Telegram accounts used by their administrators, and other reporting notes that RedLine variants disappeared due to coordinated law-enforcement action. The content also references Operation Endgame datasets derived primarily from RedLine and Meta stealer logs seized during enforcement actions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ClearSky Cyber Security has uncovered a new zero-day vulnerability, CVE-2024-43451, actively exploited in the wild, targeting Windows systems primarily in Ukraine. This flaw enables attackers to exploit URL files for malicious activity by performing actions as simple as a single right-click.
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
LAPSUS$ acquired and used the Redline password stealer in their operations.
Amadey is a modular Windows botnet sold as MaaS by author "InCrease" on XSS/Exploit forums, active since 2018. It commonly drops Lumma, StealC, RedLine, CoinMiners, and RATs.
ClearSky researchers observed that this vulnerability has been used to distribute various malware, including Redline Stealer and SparkRAT.
Others include StealC, RedLine, Odebug and other Phemedrone variants, and NodeJS loaders and downloaders.
Hudson Rock researchers investigated the alleged breaches and found the threat actor relied on distributing infostealers such as RedLine, Lumma, or Vidar... to harvest credentials.
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Resource Development
2 techniques
Resource Development
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
Initial Access
5 techniques
Initial Access
Compromised accounts could be used to facilitate fraud, account takeover, or secondary market ticket resale schemes.
One example is ClickFix, a technique using fake browser alerts, fraudulent update prompts and drive-by downloads to initiate compromise.
Credential theft, phishing, ticket fraud, and social engineering are expected to pose greater operational risk than destructive malware.
The infection begins when an unsuspecting victim receives a phishing email carrying a malicious archive attachment.
They received a private message via Discord “from” an online friend asking them for feedback on a game the friend was writing. The "game" the online friend was writing was in a password-protected .ZIP file, which they had to download and extract with the password before running it. Unfortunately, the friend’s account had been compromised earlier, and the attacker was now using it to spread malicious software.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
KryptoCibule, cryptocurrency-focused malware that targeted Czech and Slovak users, was spread through a popular local file sharing service, masquerading as pirated games or downloadable content (DLC) for them.
Credential Access
8 techniques
Credential Access
When successfully deployed and executed, information-stealing malware can harvest credentials (usernames, passwords, and session cookies) from infected environments and export them as logs to the attackers’ server.
Security researchers documented widespread fraud campaigns involving fake ticketing platforms, fraudulent domains impersonating official World Cup services, credential harvesting operations, counterfeit mobile applications, and account compromise activity.
Keylogging ( T1056.001, Credential Access / Collection ) - перехват нажатий клавиш для захвата вводимых вручную паролей, включая те, что не сохраняются в браузере.
Fortinet found hundreds of thousands of user logins, plus more than 4,600 FIFA web addresses, in data swept up by credential-stealing malware like Vidar, LummaC2, and RedLine.
an infostealer infection on an employee’s personal device could yield corporate virtual private network (VPN) credentials, single sign-on (SSO) tokens, and session cookies that could allow an attacker to bypass multifactor authentication (MFA).
A stealer is malicious code that steals account information, passwords, financial data, and other sensitive personal information stored on a system.
Discovery
4 techniques
Discovery
It also collects some information about the environment where it is running, such as display size, the processor, RAM, video card, and a list of programs and processes on the computer.
Redline Stealer performs some fairly common activities for information-stealing malware, such as collecting information about the version of Windows the PC is running, username, and time zone. It also collects some information about the environment where it is running, such as display size, the processor, RAM, video card, and a list of programs and processes on the computer.
T1087.004: Account Discovery: Cloud To establish a foundational understanding of the target environment, a threat actor might first locate the identities operating within it... AzureHound parameters that facilitate the MITRE technique Account Discovery: Cloud Account include the following: list users list devices list device-owners list service-principals list service-principal-owners
Collection
4 techniques
Collection
Banking trojans and information stealers materialized as the second most prevalent type of cybercrime, with malware families like RedLine, Lumma, LokiBot, Negasteal, and ZBot taking up the top spots.
Security researchers documented widespread fraud campaigns involving fake ticketing platforms, fraudulent domains impersonating official World Cup services, credential harvesting operations, counterfeit mobile applications, and account compromise activity.
Command and Control
2 techniques
Command and Control
Additionally, it has an optional loader functionality that can be used to retrieve additional payloads such as infostealers, remote access trojans (RATs) and ransomware... In one case, XTinyLoader was installed, which subsequently downloaded LockBit Black ransomware.
IOCs tracked for this family
139 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An infostealer observed as an additional payload leveraged by StealC affiliates.
RedLine Stealer is listed as a malware family delivered in StealC-linked activity.
RedLine Stealer is mentioned as a payload distributed by a large botnet cluster within the Amadey ecosystem.
Named as an infostealer family involved in credential theft and resale within the cybercriminal ecosystem.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.