Redline Stealer

Malware Profile Updated a month ago
Download STIX
Preview STIX
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis involved following the TCP stream to examine post-infection traffic from this malware infection. Despite a disruption in its development in 2023, RedLine Stealer saw significant activity in H1 2024, surpassing detections from H2 2023 by a third. This resurgence was largely due to one-off campaigns in Spain, Japan, and Germany. The malware has been linked to numerous cyber threats, including the Balada Injector gang, which exploited WordPress plugin vulnerabilities, compromising over 20,000 websites in the first half of 2024. Notably, gaming enthusiasts were targeted as cracked video games and cheating tools used in online multiplayer games were found to contain infostealer malware such as Lumma Stealer and RedLine Stealer. Furthermore, hackers have abused Microsoft's GitHub-hosted repos "vcpkg" and "STL" to distribute the RedLine Stealer Trojan, demonstrating the adaptability of these threat actors. However, there has been a shift in the use of RedLine Stealer among some malware families. While its prevalence dropped, other threat actors began utilizing it more frequently for their activities, including AceCryptor, which targeted multiple European countries. Conversely, certain malware like Danabot and RedLine Stealer reduced their reliance on AceCryptor, evidenced by a greater than 60% decrease in AceCryptor samples containing that malware. Additionally, a malvertising campaign spreading the RedLine stealer via Google Ads was identified by Kaspersky experts a year ago, indicating the diverse methods of distribution employed by this malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Redline
10
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been u
Vidar Stealer
2
Vidar Stealer is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
Gozi
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Windows
Payload
Exploit
Malware Loader
Maas
Rmm
Rat
Infostealer
Trojan
Youtube
Infostealer ...
Loader
Fraud
Antivirus
Github
Credentials
Malvertising
Telegram
Midjourney
Macos
Facebook
Tool
Scams
Remcos
Eset
Exploit Kit
Kaspersky
Botnet
Linux
Domains
Veriti
Bot
Malware Drop...
Crypter
Phishing
Esentire
Dropper
Wordpress
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BatloaderUnspecified
5
Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal
VidarUnspecified
3
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
ScrubcryptUnspecified
3
ScrubCrypt is a sophisticated malware that has been identified as a significant threat in the cybersecurity landscape. It operates as part of an intricate system of harmful software, including VenomRAT and various malicious plugins, designed to exploit and damage computer systems. The malware infilt
LobshotUnspecified
3
Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded in
SmokeloaderUnspecified
3
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
RaccoonUnspecified
2
Raccoon is a highly potent and cost-effective Malware-as-a-Service (MaaS) primarily sold on dark web forums, used extensively by Scattered Spider threat actors to pilfer sensitive data. As per the "eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2.0" report published on August 31, 20
SystembcUnspecified
2
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
AmadeyUnspecified
2
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
HijackloaderUnspecified
2
HijackLoader is a new type of malware that has been rapidly gaining popularity within the cybercrime community. As with other types of malicious software, it is designed to exploit and damage computer systems. It can infiltrate these systems through suspicious downloads, emails, or websites, often u
DarkgateUnspecified
2
DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
DucktailUnspecified
2
"Ducktail" is a malicious software (malware) first observed in 2022, specifically designed to target Facebook business accounts. The malware was discovered by Zscaler, a leading cybersecurity firm, and it's suspected to originate from threat actors based in Vietnam. Ducktail not only infiltrates sys
Lumma StealerUnspecified
2
Lumma Stealer is a malicious software, or malware, that targets cryptocurrency wallets and browser user data. It has been particularly prevalent in the gaming community, with cracked video games and cheating tools often found to contain infostealer malware such as Lumma Stealer and RedLine Stealer.
IcedIDUnspecified
2
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Raccoon StealerUnspecified
2
Raccoon Stealer is a form of malware that was first identified in 2019. Developed by Russian-speaking coders and initially promoted on Russian-language hacking forums, the malicious software was designed to steal sensitive data from victims, including credit card information, email credentials, and
Balada InjectorUnspecified
1
Balada Injector is a type of malware known for its ability to steal information from wp-config.php files, primarily targeting WordPress websites. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can cause significant damage by disrupting operations, s
AcecryptorUnspecified
1
AceCryptor is a prevalent malware crypter in the current digital landscape, recognized for its ability to help other malicious software evade detection. In recent research, we've identified 279 domains hosted on dedicated AceCryptor IP addresses, with 17 of these domains flagged as malicious by bulk
BatcloakUnspecified
1
BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository
VenomratUnspecified
1
VenomRAT is a malicious software (malware) that poses significant threats to computer systems and devices. It can infiltrate systems through dubious downloads, emails, or websites, often without the user's knowledge. Once installed, VenomRAT can steal personal information, disrupt operations, or eve
SVCReadyUnspecified
1
SVCReady is a relatively new malware family first observed in malicious spam campaigns at the end of April 2022. This harmful software, designed to exploit and damage computers or devices, was initially unknown but has since been identified through IDS rules published by Proofpoint. The malware infe
ChromeloaderUnspecified
1
ChromeLoader, first identified in early 2022, is a persistent and evolving malware family known for hijacking browsers, stealing sensitive information, and running additional payloads such as other malware families. This malicious software is particularly harmful as it can infiltrate systems without
MedusaLockerUnspecified
1
MedusaLocker, first observed in September 2019, is a potent ransomware variant that primarily targets Windows machines through spam. This malware should not be confused with Medusa, a Ransomware-as-a-Service (RaaS) platform active since late 2022. MedusaLocker has been utilized by various ransomware
Smoke LoaderUnspecified
1
Smoke Loader is a prominent type of malware identified by the SCPC SSSCIP, used in recent attacks primarily targeting Ukrainian organizations. This malicious software is often delivered via IPFS links by malware families such as Smoke Loader, XLoader, XMRig, and OriginLogger, disrupting operations a
NetsupportUnspecified
1
NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
Netsupport ManagerUnspecified
1
NetSupport Manager is a malicious software (malware) that poses significant threats to computer systems and networks. It is often disguised as legitimate software or tools, such as the 7-zip compression utility or a fake Chrome browser update, to trick users into downloading and installing it. Once
EugenloaderUnspecified
1
EugenLoader, also known as FakeBat, is a form of malware that was detected by Microsoft in mid-November 2023. It was distributed by an initial access broker known as Storm-1113 through search advertisements mimicking the Zoom app, with the malware delivered via bogus MSIX installers masquerading as
njRATUnspecified
1
NjRAT is a remote-access Trojan (RAT) that has been commonly used in both criminal and targeted attacks since as early as 2013. It is part of a suite of RATs used by attackers, including Remcos and AsyncRAT, to exploit and damage computer systems. NjRAT can identify remote hosts on connected network
NanoCoreUnspecified
1
NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in Dec
PrivateloaderUnspecified
1
PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
FakebatUnspecified
1
FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or we
XwormUnspecified
1
XWorm is a multi-functional malware that provides threat actors with remote access capabilities, has the potential to spread across networks, exfiltrate sensitive data, and download additional payloads. It was observed exploiting ScreenConnect vulnerabilities, a client software used for remote syste
IsfbUnspecified
1
ISFB, also known as Gozi or Ursnif, is a form of malware that has been a significant part of the cyberthreat landscape for several years. This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user'
AgentteslaUnspecified
1
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
AsyncRATUnspecified
1
AsyncRAT is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Once the executable loads http_dll.dll, the DL
Sectop RatUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EphemeralUnspecified
1
Ephemeral is a threat actor group known for its malicious cyber activities, which include the use of RedLine Stealer that employs TCP traffic over an ephemeral port for command and control (C2) operations. The group's activities are particularly challenging due to their transient nature, making them
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Redline Stealer Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
21 days ago
Hijacked: How hacked YouTube channels spread scams and malware
Trend Micro
25 days ago
AI Pulse: Siri Says Hi to OpenAI, Deepfake Olympics & more
ESET
a month ago
ESET Threat Report H1 2024
DARKReading
3 months ago
Hackers Create Legit Phishing Links With Ghost GitHub, GitLab Comments
Recorded Future
3 months ago
Improving Dark Web Investigations with Threat Intelligence | Recorded Future
ESET
4 months ago
Rescoms rides waves of AceCryptor spam
CERT-EU
4 months ago
What’s in your notepad? Infected text editors target Chinese users - Cyber Security Review
Securelist
4 months ago
Infected text editors load backdoor into macOS
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
4 months ago
Cybercrime on Main Street – Sophos News | #cybercrime | #computerhacker - Am I Hacker Proof
CERT-EU
5 months ago
Kaspersky spam and phishing report for 2023
CERT-EU
5 months ago
Cyber Security Week in Review: March 1, 2024
CERT-EU
5 months ago
Ransomware crews lean into infostealers for initial access
Securityaffairs
5 months ago
IDAT Loader used to infect a Ukraine entity in Finland with Remcos RAT
Unit42
5 months ago
Diving Into Glupteba's UEFI Bootkit
Securityaffairs
6 months ago
Yearly Intel Trend Review: The 2023 RedSense report
CERT-EU
6 months ago
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over
InfoSecurity-magazine
6 months ago
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over
CERT-EU
6 months ago
Beware! YouTube Videos Promoting Cracked Software Distribute Lumma Stealer
CERT-EU
7 months ago
Microsoft Disables App Installer After Feature is Abused for Malware