virus logo Threat Actor

Redline Stealer

Description

RedLine Stealer is commodity malware. It is available for sale via underground forums and various chat apps such as Telegram and WhatsApp typically from $100-$150 USD. It operates using the MaaS (malware-as-a-service) business model. Created with .NET, this malware family made its debut in 2020. It is designed to collect sensitive information from infected devices such as:

  • saved credentials

  • credit card information

  • crypto-wallets

  • autocomplete data

  • cookies

  • data from several programs such as Discord, Steam, FileZilla, email clients, IM clients, password managers, and others

Updates to RedLine Stealer also include RAT functions, allowing it to upload and download files as well as execute commands. While this family typically uses its own C2 servers, some variants have been known to use public repositories such as GitHub in order to pose as legitimate outgoing traffic.

The latest versions of Redline Stealer enable more stealthy operations by leveraging Lua bytecode to obfuscate malicious strings and avoid common, easily detected scripts.

As of 2026, RedLine Stealer remains active primarily through repackaged and legacy builds. This follows disruption of its infrastructure in Operation Magnus, with no confirmed new major developments in functionality.

Aliases

  • Redline Loader
  • RedLine Stealer
  • Redline

Targeted Industries

  • All

Objectives

Data Theft

Known Infection Vectors

  • Phishing
  • Spearphishing
  • Bundled with other malware
  • Fake blockchain games
  • Fake sponsored ads for free downloads of ChatGPT and Google Bard

References

Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 Part II (Fortinet)
https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two

RedLine Stealer (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

U.S. Joins International Action Against RedLine and META Infostealers
https://www.justice.gov/usao-wdtx/pr/us-joins-international-action-against-redline-and-meta-infostealers

Maxim Alexandrovich Rudometov & RedLine (Rewards For Justice)
https://rewardsforjustice.net/rewards/maxim-alexandrovich-rudometov-redline/

Armenian Man Extradited to U.S. Faces Charges for Role in Infostealing Malware Scheme (U.S. Department of Justice)
https://www.justice.gov/usao-wdtx/pr/armenian-man-extradited-us-faces-charges-role-infostealing-malware-scheme

Redline Stealer

ID

5548

Published

May 19, 2026

Threat Actor Type

Malware-as-a-Service (MaaS)

Attacker Origins

  • Unknown

Target Systems

  • Windows

Regions Targeted

  • Africa
  • Asia
  • North America
  • South America
  • Europe
  • Middle East
  • Oceania

Active CVEs