Overview
RedLine Stealer is a .NET-based infostealer that first appeared on Russian-language cybercrime forums in March 2020. It quickly became one of the most prolific credential-stealing malware families in the threat landscape, consistently ranking among the top infostealers by sample volume. RedLine operates on a Malware-as-a-Service model with lifetime licenses available for approximately $150-$200 and subscription plans at lower price points. The malware is managed through a dedicated C2 panel that allows operators to configure theft targets, manage campaigns, and exfiltrate stolen data (referred to as “logs”). In October 2024, international law enforcement conducted Operation Magnus, seizing RedLine infrastructure and charging its alleged developer, though variants continue to circulate.
Capabilities
RedLine harvests saved credentials, cookies, autofill data, and credit card information from all major Chromium and Gecko-based browsers. It targets over 30 cryptocurrency wallet extensions and desktop wallet applications. The stealer collects comprehensive system metadata including hardware identifiers, installed software, running processes, and screen resolution. It can also steal VPN client configurations (NordVPN, OpenVPN, ProtonVPN), FTP credentials (FileZilla), instant messaging session data (Telegram, Discord tokens), and Steam gaming platform files. RedLine includes a file grabber module configurable by extension and directory, and some variants incorporate a loader capability to deploy follow-on payloads. Communication with C2 servers uses a SOAP-based protocol over TCP.
Distribution Methods
RedLine is delivered through an exceptionally wide range of vectors, reflecting its large and diverse affiliate base. Primary distribution methods include phishing emails with malicious attachments (often disguised as invoices or shipping notifications), malvertising campaigns on search engines, trojanized software packages on fake download sites, YouTube video descriptions linking to supposed game cheats or cracked tools, and compromised legitimate websites. RedLine is also commonly delivered as a secondary payload by loaders such as SmokeLoader, Amadey, and PrivateLoader. During 2021-2022, RedLine was heavily distributed through fake COVID-19 themed applications and fraudulent Omicron variant information pages.
Notable Campaigns
RedLine gained significant attention in 2021 when it was distributed through fake Windows 11 upgrade installers hosted on domains mimicking Microsoft’s official site. In 2022, operators exploited the popularity of the game Valorant by distributing RedLine through YouTube videos advertising fake aimbots and cheats. Throughout 2023, RedLine was consistently observed in malvertising campaigns abusing Google Ads to impersonate popular software. A notable supply chain incident involved RedLine-infected npm packages targeting developers. In October 2024, Operation Magnus led by Dutch National Police disrupted RedLine and META Stealer infrastructure simultaneously, revealing that both stealers shared significant codebase overlap.
Detection & Mitigation
RedLine’s .NET architecture makes it amenable to static analysis and signature-based detection. Defenders should monitor for suspicious .NET process execution, particularly processes performing bulk reads of browser SQLite databases and cryptocurrency wallet directories. Network detection should focus on the distinctive SOAP/XML-based C2 communication pattern over non-standard TCP ports. YARA rules targeting RedLine’s characteristic string obfuscation and class naming conventions are widely available from threat intelligence providers. Mitigation strategies include enforcing multi-factor authentication to limit the impact of stolen credentials, deploying endpoint detection and response solutions with behavioral rules for credential access patterns, restricting script execution policies, and monitoring for anomalous outbound data transfers. Organizations should also monitor dark web marketplaces for leaked credentials associated with their domains.