Redline

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been used in a multitude of cyber incidents, with one report indicating it was responsible for nearly half (47%) of all incidents involving stolen passwords. Furthermore, RedLine led the next closest stealer, Vidar, by over two-fold, demonstrating its prevalence in cyber-attacks. The malware has been particularly active in the underground marketplace. Historically, RedLine has been a favored infostealer among threat actors selling logs through platforms like 2easy, which also sells logs from other malware like Raccoon, Vidar, and AZORult. On Telegram, RedLine is prominently represented alongside other malicious software such as Anubis, SpiderMan, Oski Stealer, and Loki Stealer. Interestingly, during the building process of RedLine, users often get another RedLine sample embedded in the dotRunpeX, even if they didn't desire it. Over the last six months, RedLine has been used to steal more than 170 million passwords, making it the most notorious credential stealer during that period according to research published on March 12. Other prevalent 'stealer' malware detected across Sophos’ telemetry last year include Raccoon Stealer, Grandoreiro, and Discord Token Stealer. However, RedLine, with a rate of 8.71%, topped the list. Researchers urge users to be aware of such threats, especially given the rising popularity of AI tools and the potential for exploitation by these kinds of malicious exploits.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Redline Stealer
10
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis in
Azorult
5
Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Phishing
Windows
Infostealer
Payload
Loader
Exploit
Credentials
Youtube
Maas
Bot
Midjourney
Fraud
Cybercrime
Telegram
Scams
Infostealer ...
Trojan
Injector
Github
Facebook
Cobalt Strike
Rat
Discord
Acrobat
Vpn
Espionage
Exploit Kit
Antivirus
Resecurity
Malvertising
Macos
Sandbox
Secureworks
Esentire
Botnet
Ransomware P...
Fbi
Airbus
Microsoft
Techcrunch
Scam
Rmm
Dropper
XSS (Cross S...
Wordpress
Malwarebytes
Malware Payl...
Adobe
Google
Exploits
Backdoor
Malware Loader
Downloader
Bitdefender
Tesla
Crypter
Sophos
Flashpoint
exploitation
Remcos
Veriti
Loki
Linux
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
VidarUnspecified
12
Vidar is a Windows-based malware written in C++, known as an infostealer due to its ability to steal personal information from infected systems. It has been leveraged by cybercriminals alongside other malicious software like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoade
RaccoonUnspecified
8
Raccoon is a type of malware utilized by the Scattered Spider threat actors to obtain sensitive information such as login credentials, browser cookies, and browser histories. The Raccoon Stealer is particularly notorious for its ability to detect countermeasures and delete records associated with th
TaurusUnspecified
5
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
AgentteslaUnspecified
5
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
BatloaderUnspecified
5
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
NanoCoreUnspecified
4
NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in Dec
AmadeyUnspecified
4
Amadey is a type of malware that has been identified as part of a complex network of malicious software used to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage fo
RiseproUnspecified
3
RisePro is a malicious software (malware) that was first discovered in December 2022. After a period of relative inactivity, it resurfaced in July 2023. This malware is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the u
QakBotUnspecified
3
Qakbot, also known as QBot, is a versatile piece of malware capable of executing several malicious activities such as brute-forcing, web injects, and loading other types of malware. It's often used to steal credentials and gather information, with the cybercriminal group Black Basta being one notabl
MarsUnspecified
3
Mars is a malicious software (malware) that has been discovered by Trend Micro's Mobile Application Reputation Service (MARS) team. This malware is particularly damaging as it involves two new Android malware families related to cryptocurrency mining and financially-motivated scam campaigns, targeti
LummaUnspecified
3
Lumma is a malicious software (malware) that has been identified as an information stealer, and it has been observed in various cybercrime activities. It infects systems through suspicious downloads, emails, or websites, often without the victim's knowledge. Once inside, Lumma can steal personal inf
Vidar StealerUnspecified
3
Vidar Stealer is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
DarkgateUnspecified
2
DarkGate is a malicious software (malware) known for its harmful impact on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data host
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
Avemaria/warzoneratUnspecified
2
None
NETWIREUnspecified
2
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at
FormbookUnspecified
2
Formbook is a type of malware, or malicious software, that can infiltrate your computer or device through suspicious downloads, emails, or websites. Once it has infected a system, it can steal personal information, disrupt operations, and potentially hold data for ransom. The individual behind the R
StealcUnspecified
2
Stealc is a malicious software (malware) that specifically targets browser extensions and authenticators by password managers, growing in popularity on the dark web since its discovery in early 2023. It has been associated with significant cyber-attacks, such as the $7 million heist on the Solana bl
XwormUnspecified
2
XWorm is a multifaceted malware that poses a significant threat to computer systems. It provides threat actors with remote access capabilities, allowing them to exploit vulnerabilities in programs such as ScreenConnect client software. Additionally, XWorm has the potential to spread across networks,
LockbitUnspecified
2
LockBit is a type of malware, specifically ransomware, that infiltrates systems to steal data or disrupt operations, often demanding ransom in return for the release of the compromised data. Notable incidents include the LockBit ransomware gang claiming to have stolen and subsequently leaking data f
DotrunpexUnspecified
2
DotRunpeX is a rapidly evolving and highly stealthy .NET injector malware that has gained significant attention from both security analysts and threat actors. It employs the "Process Hollowing" method to distribute a wide variety of other malware strains, including AgentTesla, ArrowRAT, AsyncRat, Av
njRATUnspecified
2
NjRAT is a remote-access Trojan (RAT) that has been commonly used in both criminal and targeted attacks since as early as 2013. It is part of a suite of RATs used by attackers, including Remcos and AsyncRAT, to exploit and damage computer systems. NjRAT can identify remote hosts on connected network
Agent TeslaUnspecified
2
Agent Tesla is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates the system often without the user's knowledge via suspicious downloads, emails, or websites, with the capability to steal personal information, disrupt operations, or hold data for
Lummac2Unspecified
2
LummaC2 is a relatively new information-stealing malware, first discovered in 2022. The malicious software has been under active development, with researchers identifying LummaC2 4.0 as a dynamic malware strain in November 2023. It's been used by threat actors for initial access or data theft, often
LobshotUnspecified
2
Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded in
Lumma StealerUnspecified
2
Lumma Stealer is a malicious software, or malware, that targets cryptocurrency wallets and browser user data. It has been particularly prevalent in the gaming community, with cracked video games and cheating tools often found to contain infostealer malware such as Lumma Stealer and RedLine Stealer.
DucktailUnspecified
2
"Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sys
ScrubcryptUnspecified
2
ScrubCrypt is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage fo
Raccoon StealerUnspecified
2
Raccoon Stealer is a form of malware that was first identified in 2019. Developed by Russian-speaking coders and initially promoted on Russian-language hacking forums, the malicious software was designed to steal sensitive data from victims, including credit card information, email credentials, and
AsyncRATUnspecified
1
AsyncRAT is a malicious software (malware) that targets computer systems to exploit and damage them, often infiltrating the system without the user's knowledge through suspicious downloads, emails, or websites. The malware operates by loading an executable which unpacks a DLL in memory, subsequently
BladabindiUnspecified
1
Bladabindi, also known as njRAT, is a remote access trojan (RAT) malware first discovered in 2013. It poses a significant threat to the privacy, security, and integrity of infected systems, allowing attackers to execute commands on the host, log keystrokes, and remotely activate the victim's webcam
SmokeloaderUnspecified
1
Smokeloader is a notorious malware that has been utilized extensively by Phobos actors to carry out ransomware attacks. The malware, often delivered through suspicious downloads, emails, or websites, embeds itself into the victim's system as a hidden payload. Once inside, it enables threat actors to
GuLoaderUnspecified
1
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
ZxShellUnspecified
1
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
SystembcUnspecified
1
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
ThirdeyeUnspecified
1
ThirdEye is a type of malware, specifically an infostealer, that has been identified as a significant threat to Windows devices. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it steals personal information, disru
FakebatUnspecified
1
FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or we
EndevUnspecified
1
None
EdidevUnspecified
1
None
AuroraUnspecified
1
Aurora is a type of malware designed to exploit and damage computer systems, often through suspicious downloads, emails, or websites. It has been used in a series of high-profile cyber-attacks over the years, with notable instances such as Operation Aurora in 2009, which targeted major technology co
GrandoreiroUnspecified
1
Grandoreiro is a form of malware, specifically a banking Trojan, originating from Brazil. It is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without the user's knowledge. Once inside, Grandoreiro can steal personal informa
CherryUnspecified
1
Cherry is a malicious software, or malware, that has recently impacted Cherry Health, a Michigan-based healthcare provider. The malware infiltrated the system through unknown means, disrupting operations and causing a significant ransomware attack. This incident underscores the security challenges f
PrivateloaderUnspecified
1
PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
UrsnifUnspecified
1
Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
OskiUnspecified
1
Oski is a type of malware, specifically a stealer, that emerged as a clone of the Vidar malware, following the latter's leak. It was created to exploit and damage computer systems by infiltrating through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access t
OctopusUnspecified
1
Octopus is a malware, a harmful program designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lapsus GroupUnspecified
2
The Lapsus Group, identified as a threat actor originating from North Korea, has been involved in various cybercriminal activities, primarily focusing on cryptocurrency theft. This group is known for its use of sophisticated tools such as RedLine and QakBot, which have been instrumental in their ope
Scattered SpiderUnspecified
1
Scattered Spider is a prominent threat actor group known for its malicious cyber activities. Their modus operandi includes searching SharePoint repositories for information, seeking to maintain persistence on targeted networks, and exfiltrating data for extortion purposes. The group primarily uses p
MedusaUnspecified
1
Medusa, a threat actor group, has been identified as a rising menace in the cybersecurity landscape, with its ransomware activities escalating significantly. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability known as Citrix Bleed (CVE-2023
EphemeralUnspecified
1
Ephemeral is a threat actor group known for its malicious cyber activities, which include the use of RedLine Stealer that employs TCP traffic over an ephemeral port for command and control (C2) operations. The group's activities are particularly challenging due to their transient nature, making them
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Redline RemcosUnspecified
1
None
Vidar XwormUnspecified
1
None
Netwire PrivateloaderUnspecified
1
None
Asyncrat Avemaria/warzoneratUnspecified
1
None
Source Document References
Information about the Redline Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
11 days ago
Hijacked: How hacked YouTube channels spread scams and malware
DARKReading
13 days ago
Multi-Malware 'Cluster Bomb' Campaign Drops Widespread Cyber Havoc
Checkpoint
a month ago
Inside the Box: Malware’s New Playground - Check Point Research
DARKReading
2 months ago
AI Voice Generator App Used to Drop Gipy Malware
Securityaffairs
2 months ago
Cybercriminals are targeting elections in India with influence campaigns
DARKReading
2 months ago
YouTube Becomes Latest Battlefront for Phishing, Deepfakes
CERT-EU
4 months ago
RedLine malware top credential stealer of last 6 months
InfoSecurity-magazine
4 months ago
Three-Quarters of Cyber Incident Victims Are Small Businesses
CERT-EU
4 months ago
ChatGPT credentials snagged by infostealers on 225K infected devices
InfoSecurity-magazine
a year ago
Researchers Uncover New Information Stealer 'Stealc'
CERT-EU
4 months ago
Alert: Info Stealers Target Stored Browser Credentials
CERT-EU
4 months ago
Cyber Security Week in Review: March 1, 2024
BankInfoSecurity
4 months ago
Alert: Info Stealers Target Stored Browser Credentials
CERT-EU
4 months ago
This Chinese PC Manufacturer Tailored its Own Devices to be Susceptible to Malware
CERT-EU
4 months ago
Ransomware crews lean into infostealers for initial access
CERT-EU
5 months ago
Pre-installed Malware Found on Chinese Acemagic Products
CERT-EU
5 months ago
Chinese PC-maker Acemagic's machines infected with malware
Recorded Future
5 months ago
Leading with Intelligence: Winning Against Credential Theft
BankInfoSecurity
5 months ago
Post-LockBit, How Will the Ransomware Ecosystem Evolve?
CERT-EU
5 months ago
Post-LockBit, How Will the Ransomware Ecosystem Evolve? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting