Redline

Malware updated 19 hours ago (2024-11-20T17:38:53.708Z)

Download STIX

Preview STIX

RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actors selling logs through 2easy, although the marketplace also sells logs from other malwares like Raccoon, Vidar, and AZORult. Other prominent malwares represented on platforms such as Telegram include Anubis, SpiderMan, Oski Stealer, and Loki Stealer. Despite disruptive operations by law enforcement, RedLine, Lumma, Vidar, and others have shown resilience by adapting and adopting new techniques. During the building process of RedLine, which can be configured according to individual needs, another sample of RedLine, potentially undesired, is embedded in the dotRunpeX. The RedLine panel makes extensive use of GitHub repositories as dead-drop resolvers to obtain the address of back-end servers and uses base64 encoding in its network communications. By default, the RedLine panel's Guest Links functionality runs an HTTP server on port 7766. Samples of the RedLine panel are packed using DNGuard and BoxedApp, and the panel automatically terminates itself if it detects a debugger or analysis tools. The back-end components of RedLine are uploaded to private servers, with the panels signed with valid certificates issued to AMCERT, LLC. Interestingly, the RedLine back end automatically generates self-signed certificates when creating samples. This indicates that the operators of RedLine have developed their own malware families, control panels, and back-end servers, demonstrating a high level of sophistication and adaptability within the cybercrime landscape.

Description last updated: 2024-11-15T16:02:34.097Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Redline Stealer is a possible alias for Redline. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s	12
Azorult is a possible alias for Redline. Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb	5

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Infostealer

Phishing

Infostealers

Windows

Ransomware

Credentials

Maas

Bot

Loader

Payload

Infostealer ...

Trojan

Cybercrime

Youtube

Exploit

Fraud

Domains

Meta

Midjourney

Source

Scams

Macos

Cobalt Strike

Espionage

Email Addres...

Tool

Exploit Kit

Antivirus

Facebook

Resecurity

Github

Discord

Acrobat

Vpn

Malvertising

Injector

Downloader

16shop

Rat

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Vidar Malware is associated with Redline. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malw	Unspecified	12
The Raccoon Malware is associated with Redline. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $	Unspecified	8
The Lumma Malware is associated with Redline. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers re	Unspecified	6
The Batloader Malware is associated with Redline. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal	Unspecified	5
The Agenttesla Malware is associated with Redline. AgentTesla is a well-known Remote Access Trojan (RAT) and infostealer malware that has been used in numerous cyber-attacks. It is often delivered through malicious emails or downloads, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for rans	Unspecified	5
The Amadey Malware is associated with Redline. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includ	Unspecified	4
The QakBot Malware is associated with Redline. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d	Unspecified	4
The NanoCore Malware is associated with Redline. NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in Dec	Unspecified	4
The Lumma Stealer Malware is associated with Redline. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was di	Unspecified	4
The Risepro Malware is associated with Redline. RisePro is a type of malware, specifically an info-stealer, designed to infiltrate and damage computer systems. It operates by exploiting vulnerabilities in a device, often through suspicious downloads, emails, or websites, typically without the user's knowledge. Once inside, RisePro can disrupt ope	Unspecified	4
The Lummac2 Malware is associated with Redline. LummaC2 is a malicious software (malware) that was initially identified in Russian-speaking forums in 2022. It is written in C and distributed as Malware-as-a-Service (MaaS). This malware functions as a dynamic strain under active development, with its use expanding to several additional malware fam	Unspecified	3
The Darkgate Malware is associated with Redline. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	3
The Mars Malware is associated with Redline. Mars is a malicious software (malware) that has been discovered by the Trend Micro Mobile Application Reputation Service (MARS) team. This malware, related to other known threats like Vidar and Redline, has been involved in cryptocurrency-mining and financially-motivated scam campaigns targeting And	Unspecified	3
The Stealc Malware is associated with Redline. StealC is a form of malware that specifically targets browser extensions and password managers. Its emergence was first reported in early 2023 and it quickly grew in popularity on the dark web due to its ability to bypass traditional security measures. The malware's modus operandi involves stealing	Unspecified	3
The NETWIRE Malware is associated with Redline. NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at	Unspecified	2
The malware Avemaria/warzonerat is associated with Redline.	Unspecified	2
The Rhadamanthys Malware is associated with Redline. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tact	Unspecified	2
The Lobshot Malware is associated with Redline. Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded in	Unspecified	2
The Raccoon Stealer Malware is associated with Redline. Raccoon Stealer, a malware-as-a-service (MaaS) operation, emerged in 2019, designed by Russian-speaking developers to steal victims' sensitive data such as credit card information, email credentials, and cryptocurrency wallets. The malware was initially promoted exclusively on Russian-speaking hacki	Unspecified	2
The Ducktail Malware is associated with Redline. "Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sys	Unspecified	2
The Lokibot Malware is associated with Redline. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information	Unspecified	2
The Scrubcrypt Malware is associated with Redline. ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disrupt	Unspecified	2
The Lockbit Malware is associated with Redline. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	2
The Dotrunpex Malware is associated with Redline. DotRunpeX is a rapidly evolving and highly stealthy .NET injector malware that has gained significant attention from both security analysts and threat actors. It employs the "Process Hollowing" method to distribute a wide variety of other malware strains, including AgentTesla, ArrowRAT, AsyncRat, Av	Unspecified	2
The njRAT Malware is associated with Redline. NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, d	Unspecified	2
The Xworm Malware is associated with Redline. XWorm is a sophisticated piece of malware designed to infiltrate and exploit computer systems, often without the user's knowledge. It can be delivered through various means such as suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operati	Unspecified	2
The Formbook Malware is associated with Redline. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms o	Unspecified	2
The Agent Tesla Malware is associated with Redline. Agent Tesla is a well-known malware that primarily targets systems through phishing attacks, exploiting an outdated Microsoft Office vulnerability (CVE-2017-11882). This malicious software is designed to infiltrate computer systems, often without the user's knowledge, and can steal personal informat	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lapsus Group Threat Actor is associated with Redline. The Lapsus Group, identified as a threat actor originating from North Korea, has been involved in various cybercriminal activities, primarily focusing on cryptocurrency theft. This group is known for its use of sophisticated tools such as RedLine and QakBot, which have been instrumental in their ope	Unspecified	2

Source Document References

Information about the Redline Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	6 days ago	Crimeware and financial predictions for 2025
ESET	10 days ago	Life on a crooked RedLine: Analyzing the infamous infostealer’s backend
BankInfoSecurity	15 days ago	How Trump's Victory May Spark Tech and Cyber Policy Shift
BankInfoSecurity	16 days ago	Canadian Cops Bust Suspected Hacker Tied to Snowflake Hits
DARKReading	20 days ago	Chinese APTs Cash In on Years of Edge Device Attacks
Flashpoint	20 days ago	RedLine and META Takedown: A Turning Point in the Infostealer Landscape?
BankInfoSecurity	20 days ago	Mac Malware Threat: Hackers Seek Cryptocurrency Holders
BankInfoSecurity	20 days ago	Breach Roundup: S&P Says Poor Remediation A Material Risk
DARKReading	22 days ago	The Weapon of Choice of Cybercriminals: BEC Impersonation
Securityaffairs	23 days ago	International law enforcement operation dismantled RedLine and Meta infostealers
InfoSecurity-magazine	23 days ago	Law Enforcement Operation Takes Down Redline and Meta Infostealers
DARKReading	23 days ago	FBI, Partners Disrupt RedLine, Meta Stealer Operations
Flashpoint	23 days ago	U.S. Joins International Action Against RedLine and META Infostealers
BankInfoSecurity	23 days ago	Russian Indicted by US for Developing Redline Infostealer
DARKReading	2 months ago	AI 'Nude Photo Generator' Delivers Infostealers, Not Images
BankInfoSecurity	2 months ago	Breach Roundup: AI 'Nudify' Sites Serve Malware
DARKReading	2 months ago	Infostealers: An Early Warning for Ransomware Attacks
Recorded Future	2 months ago	H1 2024 Malware & Vulnerability Trends Report: Zero-Day Exploits, Infostealers, and Emerging Malware Threats
SANS ISC	3 months ago	From Highly Obfuscated Batch File to XWorm and Redline - SANS Internet Storm Center
Checkpoint	4 months ago	29th July – Threat Intelligence Report - Check Point Research