RedLine
RedLine Stealer is a commodity infostealer/password-stealing malware family, also referred to as RedLine or RedLine password stealer, that has been widely used since at least 2020 and is commonly sold in the cybercriminal economy as MaaS. It is repeatedly described as inexpensive, easy to use, and highly popular, and has been observed alongside other stealers such as Lumma, Vidar, Raccoon, RisePro, MetaStealer, Rhadamanthys, and Stealc.
Its core capability is credential theft. The content explicitly states that RedLine steals passwords and session tokens, extracts and exfiltrates browser cookies, and targets browser-stored credentials. It is described as capable of stealing credentials from browser password stores and browser data, and is associated with theft of system information, cookies, session tokens, and cryptocurrency wallet data. Microsoft also classifies RedLine as cryware in some contexts because it targets non-custodial cryptocurrency hot-wallet data. The content further notes that RedLine has sent victim data to its C2 or RedLine panel server, has used Base64 to encode command-and-control traffic, includes an anti-sandbox technique that requires successful C2 communication to continue execution, and has been observed abusing legitimate web services as C2 infrastructure. Splunk reporting cited in the content also states that RedLine can modify registry keys and disable Windows Update-related services on compromised hosts.
Observed delivery vectors in the content include phishing emails with malicious attachments, phishing messages, malicious installers, spoofed update prompts, ZIP bundles, cracked software/warez, YouTube videos, watering-hole sites, Discord CDN-hosted payload delivery, and LNK-based phishing chains. One report states RedLine was bundled in a ZIP file with other software; another notes it was delivered immediately after users downloaded a malicious installer or responded to a spoofed update prompt. Group-IB reporting cited in the content says RedLine was used in campaigns spread via fake websites, malicious links in game reviews and social-media lotteries, file-sharing sites, and compromised social-media accounts.
RedLine is linked in the content to multiple threat actors and intrusion sets. Microsoft states DEV-0537/LAPSUS$ used the RedLine password stealer to obtain passwords and session tokens, and other reporting on the Uber incident similarly notes Lapsus$ is known to use RedLine-stolen credentials. The content also says credentials stolen by RedLine were leveraged in identity-centric intrusions, including Snowflake-related compromises attributed to UNC5537, where infostealer-obtained credentials were used in environments lacking enforced MFA. Kaspersky reporting cited in the content says a separate threat group targeting Russian organizations previously used RedLine, alongside PureRAT and Cobalt Strike, before later adopting Ravage.
Targeting described in the content is broad and opportunistic, affecting consumers and enterprises. Examples include theft of FIFA-related credentials and web addresses in World Cup-themed fraud ecosystems, compromise of accounts such as PayPal, Amazon, Steam, Roblox, and Epic Games, and use against Russian educational institutions, energy companies, financial organizations, government bodies, and diplomatic institutions when deployed by specific actors. The content also notes RedLine’s role in large-scale credential theft operations run by Russian-speaking cybercriminal groups, with more than 890,000 infected devices worldwide in one 2022 campaign.
High-confidence infrastructure and indicators mentioned in the content are limited. The content explicitly notes Base64-encoded C2 traffic, exfiltration to a RedLine C2/panel server, and use in Discord CDN-delivered malware chains. No single canonical RedLine hash or stable C2 IOC is provided in the source material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ClearSky Cyber Security has uncovered a new zero-day vulnerability, CVE-2024-43451, actively exploited in the wild, targeting Windows systems primarily in Ukraine. This flaw enables attackers to exploit URL files for malicious activity by performing actions as simple as a single right-click.
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Deploying the malicious Redline password stealer to obtain passwords and session tokens ... Redline password stealer has become the malware of choice for stealing credentials and is commonly distributed through phishing emails, watering holes, warez sites, and YouTube videos.
Amadey is a modular Windows botnet sold as MaaS by author "InCrease" on XSS/Exploit forums, active since 2018. It commonly drops Lumma, StealC, RedLine, CoinMiners, and RATs.
ClearSky researchers observed that this vulnerability has been used to distribute various malware, including Redline Stealer and SparkRAT.
Others include StealC, RedLine, Odebug and other Phemedrone variants, and NodeJS loaders and downloaders.
Hudson Rock researchers investigated the alleged breaches and found the threat actor relied on distributing infostealers such as RedLine, Lumma, or Vidar... to harvest credentials.
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
"Threat actors then use information-stealing malware, such as Raccoon Stealer and Redline, to acquire credentials and session tokens from the victim’s browser."
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniquesThe malware can be hidden in legitimate-looking mobile apps, on web pages, in malicious ads, and phishing links/attachments, among other places.
Selon Group-IB, les cybercriminels s’appuient également sur ... la prise de contrôle de médias sociaux pour disséminer les logiciels malveillants.
A combined 35% of social engineering cases involved less conventional methods, including SEO poisoning and malvertising, smishing and MFA bombing.
Initial Access
4 techniquesВ ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
One example is ClickFix, a technique using fake browser alerts, fraudulent update prompts and drive-by downloads to initiate compromise.
Для первоначального проникновения злоумышленники рассылают фишинговые письма на корпоративные адреса. Вложения маскируются под документы Microsoft Excel: списки товаров, формы для заполнения и другие рабочие файлы.
В 2026 году атаки начинались через фишинговое письмо с ZIP-архивом, содержащим XLL-файл. Этот файл маскировался под легитимную надстройку для Microsoft Excel.
Execution
4 techniquesDuring Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate". MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs. Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram
Двойной клик по нему запускал приложение Excel, которое загружало в свой процесс исполняемую DLL-библиотеку, что приводило к запуску вредоносного кода.
Persistence
3 techniquesDuring Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate". MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs. Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.
В ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
Privilege Escalation
2 techniquesDuring Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate". MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs. Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.
Stealth
5 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Des sites usurpant le nom d’entreprises connues ... pour convaincre les victimes de télécharger des fichiers malveillants.
В ноябре 2023 года APT29 (Midnight Blizzard) залезли в корпоративную среду Microsoft через password spraying единственного тестового облачного tenant без MFA... Initial Access и Credential Theft (T1078, T1621)... Valid Accounts (T1078...)
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Credential Access
7 techniquesCredential-harvesting malware is the most common first-stage payload... configured to extract browser-stored credentials, saved tokens and session cookies.
the vast pool of compromised user accounts heightens the risk of credential stuffing and potential large-scale data breaches
Fortinet found hundreds of thousands of user logins, plus more than 4,600 FIFA web addresses, in data swept up by credential-stealing malware like Vidar, LummaC2, and RedLine.
These tools are configured to extract browser-stored credentials, saved tokens and session cookies.
Operation MidnightEclipse stole saved cookies and login data from targeted systems; IceApple can collect files, passwords, and other data from a compromised host; RedLine Stealer collected chat logs and files associated with chat services.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
The detection of multiple stealer malware families, particularly the dominance of RedLine and Lumma... RedLine is known for its capabilities in credential stealing
Discovery
1 techniqueThe content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 techniqueA “pass-the-cookie” attack is a type of attack where an attacker can bypass authentication controls by compromising browser cookies... “Pass-the-cookie” is like pass-the-hash or pass-the-ticket attacks in Active Directory.
Collection
1 techniqueThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
Command and Control
4 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Это простейший загрузчик: он скачивает и запускает два исполняемых файла по вшитым в него URL.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
136 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-stealing malware used to harvest user logins and web-related data from infected systems.
Previously used by the threat group as one of several tools in attacks against Russian organizations.
Malware-as-a-Service information stealer used in earlier stages of the campaign and delivered through XLL-based phishing chains.
Information-stealing malware whose stolen credentials were used in World Cup-related account compromise activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.