RedLineCyber

RedLineCyber is a cybercrime threat actor reported by CloudSEK’s STRIKE team (identified via HUMINT in December 2025) running a Discord-centric social-engineering campaign to steal cryptocurrency via clipboard hijacking. The actor infiltrates private Discord communities associated with gaming, gambling, and cryptocurrency streaming, builds rapport over extended periods, and targets high-value individuals such as crypto streamers and influencers. RedLineCyber impersonates or masquerades as an affiliate of a fake “RedLine Solutions” persona to gain credibility and leverage the notoriety of the RedLine infostealer name. The actor distributes malicious Windows executables (noted examples: Pro.exe and peeek.exe) presented as streaming utilities or security tools purportedly to help manage/protect wallet addresses during live sessions. The payload is a Python-based “clipper” packaged with PyInstaller (bundling a Python runtime and obfuscated bytecode) that establishes persistence by creating %APPDATA%\CryptoClipboardGuard and registering itself in the current user’s Windows Registry Run key to start on boot. Once resident, it monitors the clipboard (reported ~3 checks/second), detects cryptocurrency wallet addresses using base64-encoded regular expressions, and replaces copied addresses with attacker-controlled addresses at paste time. It logs swap activity to %APPDATA%\CryptoClipboardGuard\activity.log. The malware is described as narrowly focused on clipboard manipulation rather than broad information stealing, and as operating largely offline with minimal/no command-and-control traffic, reducing network-detection opportunities. The campaign targets multiple cryptocurrency address formats including Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron, with blockchain traces reportedly linking attacker wallet addresses to theft across these assets. Example Discord servers cited as used for infiltration include discord.gg/watchgamestv and discord.gg/lootbox.