RedLine Stealer: The Infostealer That Fueled a Cybercrime Empire

RedLine Stealer dominated the infostealer landscape from 2020 to 2024, responsible for an estimated 51% of all infostealer infections worldwide. Operating as a Malware-as-a-Service (MaaS) platform at just $150/month, it enabled thousands of cybercriminals to harvest credentials, cryptocurrency wallets, and session tokens at industrial scale — until international law enforcement dismantled its infrastructure in October 2024.

Overview & MaaS Model

RedLine Stealer is a .NET-based (C#) information-stealing malware that first appeared in March 2020, initially distributed via COVID-19-themed phishing emails. It quickly grew into the most prolific infostealer family in modern cybercrime. The malware is believed to originate from Russia, with built-in safeguards preventing execution on systems with Russian keyboard layouts or geolocated in CIS countries.

Pricing & Provisioning

• $150/month subscription for the control panel
• $900 for a lifetime license
• Payments in Bitcoin or other cryptocurrency
• Purchased and provisioned via a Telegram bot (menus in English and Russian)
• Control panel features: payload generation, campaign configuration, stolen data viewer, Telegram auto-post integration

ESET's analysis revealed that META Stealer shared the same codebase and backend infrastructure, effectively making it a fork or rebrand of RedLine.

Distribution Methods

• Phishing emails: Fake invoices, shipping notifications, and HR documents with malicious attachments (.zip, .rar, .iso). Techniques include password-protected archives, OneNote attachments with embedded scripts, and HTML smuggling. T1566.001
• Malvertising / SEO poisoning: Malicious ads on search engines targeting popular software searches ("download ChatGPT desktop," "free PDF converter"). ClickFix campaigns redirect to brand-impersonating websites. T1189
• Cracked software: Bundled with game cracks, pirated applications, and freeware from disreputable download sites.
• YouTube campaigns: Links in video descriptions (game cheat/crack tutorials) leading to RedLine-laced downloads.
• Exploit-based delivery: Delivered via the Follina vulnerability (CVE-2022-30190) and through malicious Chrome extensions.

Technical Capabilities

Browser Data Theft

• Saved passwords: Decrypts Chrome passwords using AES GCM by extracting the master key T1555.003
• Cookies and session tokens: Enables account takeover without needing passwords
• Credit card data / autofill information
• Browser history and bookmarks

Cryptocurrency Wallet Theft

• Browser extension wallets: Targets MetaMask, Phantom, and others via Chrome extensions
• Desktop wallets: Exodus, Atomic, Electrum, Jaxx, Ethereum, and 20+ others

Application Credential Theft

• FTP clients: FileZilla credentials from XML config files T1005
• VPN configurations: NordVPN, OpenVPN, ProtonVPN
• Discord tokens, Steam data, IM clients

System Reconnaissance

• System info: IP, geolocation, CPU, GPU, RAM, username, HWID, OS version, UAC settings T1082
• Security products: Installed antivirus enumeration T1518.001
• Screenshots: Desktop capture T1113
• Sandbox evasion: Virtualization/sandbox detection T1497

C2 Infrastructure

• Protocol: Originally SOAP over HTTP (POST to /Endpoint/EnvironmentSettings), later migrated to SOAP over Net.TCP T1071
• Framework: Built on Windows Communication Foundation (WCF)
• Ports: Non-standard high ports (e.g., :37026)
• Infrastructure: Heavily concentrated in Netherlands, Russia, Germany, and the United States
• Exfiltration: All stolen data sent over the C2 channel T1041

MITRE ATT&CK Mapping

Notable Campaigns

Operation Magnus (October 2024)

• 3 servers seized in the Netherlands
• 2 domains seized
• Estimated 1,200+ servers across dozens of countries were used in operations
• Source code for both RedLine and META Stealer seized
• REST-API servers, control panels, stealer binaries, and Telegram bots captured
• 2 people arrested by Belgian police

Maxim Rudometov Charged

Maxim Rudometov, a Russian national from Krasnodar, was identified as a primary developer and administrator of RedLine. He used aliases "dendimirror," "alinchok," and "bloodzz.fenix." He was charged in the Western District of Texas with access device fraud, conspiracy to commit computer intrusion, and money laundering — facing a maximum of 35 years in prison. The US government is offering a $10 million reward for information leading to his capture. He remains at large.

Post-Takedown Landscape

Following Operation Magnus, RedLine no longer functions and cannot steal new data. However, the threat has not disappeared:

• Legacy data persists: Previously stolen credentials continue to circulate on dark web markets and Telegram channels
• Affiliate migration: Former RedLine operators have migrated to Lumma, Vidar, Meduza, and StealC
• Fork risk: Seized source code raises the risk of copycat variants emerging
• IAB ecosystem intact: The operational playbook RedLine pioneered — MaaS distribution, Telegram provisioning, credential harvesting, and IAB feeding — has been replicated by its successors

Detection & Defense

• YARA rules: Available via McAfee ATR GitHub and MalwareBazaar
• Network detection: Monitor for SOAP/WCF traffic to external IPs on non-standard ports
• Behavioral monitoring: Watch .NET processes accessing browser credential stores, wallet directories, and FTP configs
• MFA enforcement: FIDO2/WebAuthn preferred (resistant to fatigue attacks)
• Application whitelisting: Restrict execution of unsigned .NET binaries
• DNS filtering: Block known malicious domains via threat intelligence feeds
• Credential rotation: Regularly rotate credentials, especially after any suspected infostealer exposure
• Breach monitoring: Check infostealer log marketplaces for organizational credential exposure