RedLine Stealer

Overview

RedLine Stealer is a commodity information-stealing malware sold on Russian-speaking cybercrime forums. It harvests credentials from browsers, cryptocurrency wallets, VPN clients, and other applications. The malware is available as Malware-as-a-Service (MaaS) for approximately $150-200 per month, making it accessible to low-skilled threat actors.

Also Known As

RedLine, RedLine Infostealer

How It Spreads

• • Phishing emails with malicious attachments
• • Fake software cracks and keygens
• • Malicious Google Ads redirecting to fake download sites
• • Compromised legitimate software installers
• • Discord and Telegram malware distribution channels

What It Does

• • Steals saved passwords from Chrome, Firefox, Edge, and other browsers
• • Extracts cryptocurrency wallet data and private keys
• • Harvests VPN credentials (NordVPN, OpenVPN, ProtonVPN)
• • Captures Discord tokens and session cookies
• • Collects system information and installed software list
• • Exfiltrates data via HTTP POST to command-and-control servers

Target Platforms

Windows 7, Windows 10, Windows 11

Detection Tips

• • Monitor for processes accessing browser credential storage locations
• • Alert on unusual HTTP POST traffic to unknown external IPs
• • Watch for processes reading cryptocurrency wallet files
• • Detect execution from temporary or download directories
• • Monitor registry queries for installed VPN software

MITRE ATT&CK Techniques

T1555, T1539, T1552, T1083, T1082