RedLine Solutions

RedLineCyber is a cybercrime threat actor identified by CloudSEK’s STRIKE team in December 2025. The actor masquerades as an affiliate of “RedLine Solutions,” deliberately leveraging the notoriety of the RedLine infostealer family to build false credibility in underground communities. The operation targets high-value victims in private Discord communities associated with gaming, gambling, and streaming, with particular focus on cryptocurrency streamers and influencers. Reported example servers used for infiltration include discord.gg/watchgamestv and discord.gg/lootbox. Rather than broad phishing, the actor uses identity theft, persona-building, direct social engineering, and prolonged grooming of victims before delivering malware. Victims are persuaded to install executables such as “Pro.exe” and “peeek.exe,” presented as security or streaming utilities. The delivered malware is a Python-based clipboard hijacker (clipper) that monitors the Windows clipboard for cryptocurrency wallet addresses and replaces them in real time with attacker-controlled addresses. Reported targeted cryptocurrencies include Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron. The malware is described as operating almost entirely offline, without C2 communication or data exfiltration, which reduces opportunities for network-based detection. The content explicitly contrasts this activity with the legitimate RedLine Stealer family, noting that RedLine Stealer is C#-based and network-active. Known alias in the provided content: RedLine Solutions.