Redline

Malware updated 22 days ago (2024-11-29T13:58:28.755Z)
Download STIX
Preview STIX
RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. RedLine has historically been the favorite infostealer for threat actors selling logs through 2easy, a marketplace that also sells Raccoon, Vidar, and AZORult logs. Other malware types such as Anubis, SpiderMan, Oski Stealer, and Loki Stealer are prominently represented on Telegram. During the building process of RedLine, it was discovered that one would receive another RedLine sample embedded in the dotRunpeX. This additional sample was likely undesired by the user. The RedLine panel uses GitHub repositories as dead-drop resolvers to obtain the address of back-end servers, making extensive use of base64 encoding in its network communications. Furthermore, samples of the RedLine panel are packed using DNGuard and BoxedApp. By default, the RedLine panel’s Guest Links functionality runs an HTTP server on port 7766. There were several instances of RedLine detected in 2024, with the first version of the file appearing on June 29, 2024, using C&C: 147.45.44.83:6483. Subsequent detections occurred on July 6, 2024, and August 7, 2024, both using C&C: 185.196.9.26:6302. Despite disruptive operations by law enforcement, RedLine and other malwares like Lumma, Vidar, and others have shown resilience, adapting and adopting new techniques to survive.
Description last updated: 2024-11-28T11:50:13.680Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Redline Stealer is a possible alias for Redline. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects s
12
Azorult is a possible alias for Redline. Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
5
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Infostealer
Windows
Infostealers
Ransomware
Phishing
Telegram
Credentials
Bot
Exploit
Loader
Maas
Payload
Infostealer ...
Cybercrime
Youtube
Trojan
Fraud
Domains
Meta
Scams
Midjourney
Macos
Source
Espionage
Rat
Cobalt Strike
Tool
Email Addres...
Exploit Kit
Antivirus
Spyware
Resecurity
Facebook
Bitcoin
Github
Acrobat
Vpn
Malvertising
Discord
Injector
Downloader
16shop
Linux
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Vidar Malware is associated with Redline. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
12
The Raccoon Malware is associated with Redline. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $Unspecified
8
The Lumma Malware is associated with Redline. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers reUnspecified
6
The Agenttesla Malware is associated with Redline. AgentTesla is a well-known Remote Access Trojan (RAT) and infostealer malware that has been used in numerous cyber-attacks. It is often delivered through malicious emails or downloads, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransUnspecified
5
The Batloader Malware is associated with Redline. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personalUnspecified
5
The Risepro Malware is associated with Redline. RisePro is a type of malware, specifically an info-stealer, designed to infiltrate and damage computer systems. It operates by exploiting vulnerabilities in a device, often through suspicious downloads, emails, or websites, typically without the user's knowledge. Once inside, RisePro can disrupt opeUnspecified
4
The Amadey Malware is associated with Redline. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
4
The QakBot Malware is associated with Redline. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
4
The NanoCore Malware is associated with Redline. NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in DecUnspecified
4
The Lumma Stealer Malware is associated with Redline. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was diUnspecified
4
The Lockbit Malware is associated with Redline. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
3
The Lummac2 Malware is associated with Redline. LummaC2 is a malicious software (malware) that was initially identified in Russian-speaking forums in 2022. The malware, written in C and distributed as Malware-as-a-Service (MaaS), has been actively developed over time, with researchers noting that LummaC2 4.0 operates as a dynamic malware strain. Unspecified
3
The Darkgate Malware is associated with Redline. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
3
The Stealc Malware is associated with Redline. StealC is a form of malware that specifically targets browser extensions and password managers. Its emergence was first reported in early 2023 and it quickly grew in popularity on the dark web due to its ability to bypass traditional security measures. The malware's modus operandi involves stealing Unspecified
3
The Mars Malware is associated with Redline. Mars is a malicious software (malware) that has been discovered by the Trend Micro Mobile Application Reputation Service (MARS) team. This malware, related to other known threats like Vidar and Redline, has been involved in cryptocurrency-mining and financially-motivated scam campaigns targeting AndUnspecified
3
The Smokeloader Malware is associated with Redline. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functUnspecified
2
The NETWIRE Malware is associated with Redline. NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing atUnspecified
2
The Rhadamanthys Malware is associated with Redline. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tactUnspecified
2
The Lobshot Malware is associated with Redline. Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded inUnspecified
2
The Ducktail Malware is associated with Redline. "Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sysUnspecified
2
The malware Avemaria/warzonerat is associated with Redline. Unspecified
2
The Lokibot Malware is associated with Redline. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal informationUnspecified
2
The Scrubcrypt Malware is associated with Redline. ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disruptUnspecified
2
The Raccoon Stealer Malware is associated with Redline. Raccoon Stealer, a malware-as-a-service (MaaS) operation, emerged in 2019, designed by Russian-speaking developers to steal victims' sensitive data such as credit card information, email credentials, and cryptocurrency wallets. The malware was initially promoted exclusively on Russian-speaking hackiUnspecified
2
The Dotrunpex Malware is associated with Redline. DotRunpeX is a rapidly evolving and highly stealthy .NET injector malware that has gained significant attention from both security analysts and threat actors. It employs the "Process Hollowing" method to distribute a wide variety of other malware strains, including AgentTesla, ArrowRAT, AsyncRat, AvUnspecified
2
The njRAT Malware is associated with Redline. NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, dUnspecified
2
The Xworm Malware is associated with Redline. XWorm is a sophisticated piece of malware designed to infiltrate and exploit computer systems, often without the user's knowledge. It can be delivered through various means such as suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operatiUnspecified
2
The Agent Tesla Malware is associated with Redline. Agent Tesla is a well-known malware that primarily targets systems through phishing attacks, exploiting an outdated Microsoft Office vulnerability (CVE-2017-11882). This malicious software is designed to infiltrate computer systems, often without the user's knowledge, and can steal personal informatUnspecified
2
The Formbook Malware is associated with Redline. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lapsus Group Threat Actor is associated with Redline. The Lapsus Group, identified as a threat actor originating from North Korea, has been involved in various cybercriminal activities, primarily focusing on cryptocurrency theft. This group is known for its use of sophisticated tools such as RedLine and QakBot, which have been instrumental in their opeUnspecified
2
Source Document References
Information about the Redline Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
7 hours ago
Securityaffairs
11 days ago
Securityaffairs
11 days ago
Flashpoint
11 days ago
Checkpoint
23 days ago
Securelist
a month ago
ESET
a month ago
BankInfoSecurity
a month ago
BankInfoSecurity
2 months ago
DARKReading
2 months ago
Flashpoint
2 months ago
BankInfoSecurity
2 months ago
BankInfoSecurity
2 months ago
DARKReading
2 months ago
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
DARKReading
2 months ago
Flashpoint
2 months ago
BankInfoSecurity
2 months ago
DARKReading
3 months ago