Goldberg's technical analysis of a real, widely-distributed threat. Atomic indicators (hashes, C2) rotate constantly — consult the linked vendor reports for current IOCs.
Overview
RedLine has spent years near the top of infostealer telemetry. Sold cheaply as a service with a lifetime-licence option, it put credential theft within reach of low-skill operators, and the credentials it harvests feed the wider criminal economy — initial-access brokering, account takeover, and ransomware staging.
Capabilities
- Credential theft from Chromium and Gecko browsers: saved logins, cookies, autofill, card data.
- Crypto theft targeting wallet apps and browser extensions.
- Host recon: hardware, OS, installed software, UAC and keyboard-layout fingerprinting.
- Surveillance: screenshots and keystroke capture; acts as a downloader for RATs, miners, and ransomware.
Evasion
Builds are typically UPX- or custom-packed and heavily obfuscated to defeat static triage. Notably, later variants moved logic into Lua bytecode to frustrate .NET decompilation and signature detection — a meaningful step up in stealth for a commodity stealer.
Distribution
RedLine rode whatever lure was topical: fake "Windows 11" upgrade sites (2021), bogus Valorant aimbots pushed through YouTube (2022), and Google Ads malvertising impersonating popular software (2023). The constant is social engineering toward a manual download-and-run.
Detection
- A short-lived process reading multiple browser credential stores then beaconing to a single C2 — classic smash-and-grab signature.
- Unpacking telemetry (UPX/custom) plus .NET runtime spawning unusual child processes.
- Outbound to known RedLine panel infrastructure (rotates — pull current IOC feeds).
Remediation
- Treat all credentials on an affected host as compromised; rotate and invalidate sessions.
- Move crypto to hardware wallets; reissue API tokens.
- Block manual-execution lures (malvertising filtering, app allow-listing).