RedLine Stealer: Anatomy of the World's Most Prolific Infostealer

Every day, millions of stolen credentials flood dark web marketplaces. Bank logins. Corporate VPN access. Cryptocurrency wallets. Social media accounts. The majority of this data doesn't come from sophisticated nation-state hacking operations or zero-day exploits. It comes from commodity malware that costs less than a Netflix subscription.

RedLine Stealer is the undisputed king of this underground economy. Since its emergence in 2020, it has infected millions of machines, harvested billions of credentials, and spawned an entire ecosystem of cybercrime that feeds everything from ransomware gangs to business email compromise schemes.

This is a complete technical breakdown of how RedLine works, how it spreads, and why it matters for anyone investigating digital crime in 2025.

What Is RedLine Stealer?

RedLine Stealer is an information-stealing malware (infostealer) designed to extract sensitive data from infected Windows systems. Unlike ransomware, which announces itself loudly and demands payment, infostealers operate silently. The victim never knows they've been compromised until their bank account is drained or their crypto wallet is emptied.

RedLine is sold as a Malware-as-a-Service (MaaS) product. Anyone with a few hundred dollars and access to the right Telegram channels can purchase a license, receive a pre-configured executable, and begin harvesting credentials within hours. No coding skills required.

The malware is written in C# and targets .NET Framework environments, meaning it runs on virtually every Windows machine made in the last 15 years. Upon execution, RedLine performs a systematic extraction of everything valuable on the target system, packages it into a structured "log," and exfiltrates it to a command-and-control (C2) server controlled by the operator.

What Does RedLine Steal?

RedLine's data harvesting capabilities are comprehensive. A single successful infection can yield enough information to completely compromise a victim's digital life.

Browser Data Extraction

RedLine targets all major Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi) and Firefox. It extracts:

• Saved Passwords: All usernames and passwords stored in the browser's credential manager.
• Cookies: Session tokens that allow attackers to hijack active logins without needing passwords.
• Autofill Data: Saved addresses, phone numbers, and form field entries.
• Credit Card Information: Payment card numbers, expiration dates, and CVVs stored for "convenience."
• Browser History: Complete URL history revealing victim interests and account access patterns.

The browser password vault is the crown jewel. Most users reuse passwords across multiple services, so a single browser dump often yields access to dozens of accounts: email, banking, social media, cloud storage, and corporate systems.

Cryptocurrency Wallet Theft

RedLine specifically targets cryptocurrency storage with surgical precision:

• Desktop Wallets: Electrum, Exodus, Atomic, Jaxx, Coinomi, and dozens of others. RedLine extracts wallet.dat files and seed phrases.
• Browser Extensions: MetaMask, Phantom, Trust Wallet, and other Web3 wallets are targeted for session tokens and encrypted vault data.
• Cold Wallet Software: Configuration files from hardware wallet companion apps that may contain transaction history or address books.

Cryptocurrency theft is immediate and irreversible. Once an attacker has your seed phrase or wallet file, they can drain your funds in seconds. There's no bank to call for a chargeback. The FBI has warned repeatedly about the rise in cryptocurrency-related theft.

// Targeted Crypto Wallet Paths (Partial List)
%APPDATA%\Electrum\wallets
%APPDATA%\Exodus\exodus.wallet
%APPDATA%\atomic\Local Storage\leveldb
%APPDATA%\Guarda\Local Storage\leveldb
%APPDATA%\Coinomi\Coinomi\wallets
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn  // MetaMask

Application Credentials

Beyond browsers and crypto, RedLine harvests credentials from:

• VPN Clients: NordVPN, ExpressVPN, ProtonVPN, OpenVPN configuration files.
• FTP Clients: FileZilla, WinSCP stored credentials, often leading to web server access.
• Email Clients: Outlook, Thunderbird profile data.
• Messaging Apps: Discord tokens, Telegram session data, Steam login credentials.
• Gaming Platforms: Steam, Epic Games, Battle.net account data.

System Fingerprinting

Every RedLine log includes detailed system reconnaissance data:

• Operating system version and build number
• Hardware specifications (CPU, GPU, RAM)
• Installed software inventory
• Running processes
• IP address and geolocation data
• Screenshot of the active desktop

This fingerprint data helps criminals assess victim value. A machine with crypto trading software installed is worth more than a basic home PC. A system on a corporate network suggests potential for lateral movement.

How RedLine Spreads

RedLine's operators don't rely on a single distribution method. They exploit every available channel to reach potential victims. CISA has documented how infostealers like RedLine are commonly distributed through phishing and malvertising.

Phishing Campaigns

The classic approach remains effective. Victims receive emails claiming to be invoices, shipping notifications, or HR documents. The attachment (typically a .zip, .rar, or .iso file) contains the RedLine payload disguised as a PDF or Word document.

Modern phishing campaigns use:

• Password-Protected Archives: The email includes an archive password, bypassing email security scanners that can't inspect encrypted contents.
• OneNote Attachments: Microsoft OneNote files (.one) with embedded malicious scripts that execute when clicked.
• HTML Smuggling: JavaScript-generated payloads that construct the malware file in the browser, evading network-level detection.

Malvertising and Fake Software

Criminals purchase Google Ads targeting users searching for popular software. When victims click, they're directed to convincing clone sites offering trojanized versions of legitimate programs. Microsoft Security has tracked numerous campaigns using this technique.

Common lures include:

• AI tools (fake ChatGPT desktop apps, Midjourney installers)
• System utilities (driver updaters, registry cleaners)
• Productivity software (fake Notion, Slack, or Zoom installers)
• VPN applications
• Antivirus programs (the irony is intentional)

The downloaded installer often functions as expected, actually installing the legitimate software, while silently deploying RedLine in the background. The victim has no idea they've been compromised.

YouTube and Social Media

RedLine operators have compromised thousands of YouTube accounts to distribute malware. They upload videos advertising:

• Game cheats and hacks (Fortnite, Valorant, CS2)
• Cracked software and license key generators
• Premium content unlockers
• Free cryptocurrency and NFT giveaways

Video descriptions include links to file-sharing sites hosting the malicious payload. The audience, often young gamers, downloads without suspicion.

Fake Browser Updates

Compromised websites inject scripts that display convincing browser update notifications. The pop-up claims the user's Chrome or Edge is outdated and offers a "critical security update." The downloaded file is RedLine.

The Business Model: Malware-as-a-Service

RedLine's success stems from its accessibility. The developers don't use the malware themselves. They sell it to "affiliates" who conduct the actual infections.

Customers receive:

• A web-based control panel to manage infections and view stolen "logs"
• A "builder" tool to generate custom malware payloads
• Regular updates to evade antivirus detection
• Customer support via Telegram

This model democratizes cybercrime. Aspiring criminals don't need technical skills, just money and the willingness to break the law.

Technical Deep Dive: How RedLine Operates

Execution Flow

When a victim runs the RedLine payload:

1. Anti-Analysis Checks: The malware first checks for virtual machine indicators, debugging tools, and sandbox environments. If detected, it terminates silently to avoid analysis.
2. Environment Fingerprinting: It collects system information (OS version, username, hardware specs, installed applications) to build a victim profile.
3. Data Harvesting: RedLine systematically extracts data from all targeted applications. Browser databases are decrypted using Windows DPAPI (Data Protection API) calls.
4. Log Compilation: Stolen data is structured into a standardized format, compressed, and prepared for exfiltration.
5. C2 Communication: The log is transmitted to the command-and-control server via HTTP POST request. Some variants use Telegram bots as C2 channels.
6. Cleanup or Persistence: Depending on configuration, RedLine either self-destructs after exfiltration or establishes persistence for repeated harvesting.

Obfuscation Techniques

RedLine employs several techniques to evade detection. Security researchers at ESET and Trellix have published extensive analyses of these methods:

• String Obfuscation: Critical strings (file paths, function names, C2 addresses) are split into individual characters and reassembled at runtime.
• Dynamic API Resolution: Windows API calls are resolved dynamically rather than imported statically, hiding malicious functionality from static analysis.
• Encrypted Payloads: The actual malware is often encrypted and only decrypted in memory during execution.
• Lua Bytecode: Some variants embed malicious logic in Lua bytecode, which traditional security tools struggle to analyze.

// Example: String Obfuscation (Deobfuscated)
// Original obfuscated code reconstructs paths character by character:
string chromePath = 'C' + ':' + '\' + 'U' + 's' + 'e' + 'r' + 's' + '\' + ...;

// Reconstructed result:
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Login Data

Persistence Mechanisms

When configured for persistence, RedLine ensures it survives system reboots:

• Scheduled Tasks: Creates Windows Task Scheduler entries that execute the malware at login or regular intervals.
• Registry Run Keys: Adds entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
• WER Exploitation: Abuses Windows Error Reporting mechanisms to restart if terminated unexpectedly.

Operation Magnus: The Takedown

In October 2024, an international law enforcement operation dubbed "Operation Magnus" dealt a significant blow to RedLine's infrastructure. The U.S. Department of Justice announced the coordinated action alongside European law enforcement partners.

The U.S. Department of Justice unsealed charges against Maxim Rudometov, identified as a primary developer and administrator of RedLine. Rudometov faces charges including:

• Access device fraud
• Conspiracy to commit computer intrusion
• Money laundering

Law enforcement also obtained databases containing thousands of RedLine affiliate accounts, providing investigators with a roadmap to the entire criminal ecosystem. Europol coordinated the international aspects of the operation.

However, RedLine hasn't disappeared. Within weeks of the takedown, new variants appeared in the wild. The source code had already been shared among multiple criminal groups, and the MaaS infrastructure can be rebuilt. Operation Magnus was a victory, but the war continues.

The Stolen Data Economy

RedLine logs don't sit on criminal hard drives. They flow into a vast underground economy:

Log Marketplaces

Platforms like Russian Market, Genesis Market (before its FBI-led takedown), and 2easy aggregate millions of stealer logs for sale. Buyers search by:

• Target website (e.g., "paypal.com" credentials)
• Geographic region
• Cookie freshness
• Account value indicators

A single log containing valid banking credentials can sell for $10-50. Logs with cryptocurrency wallet access fetch hundreds.

Session Hijacking

Stolen cookies enable "session hijacking," allowing attackers to log into accounts without needing passwords or bypassing MFA. Attackers import the victim's cookies into their browser and inherit an active authenticated session.

This is why you sometimes see "your account was accessed from an unusual location" alerts. That's not a password breach. It's cookie theft from an infostealer infection.

Initial Access Brokerage

Some RedLine logs reveal corporate VPN credentials or cloud service access. These are sold to ransomware gangs as "initial access," the foothold needed to begin a full network compromise. The FBI's Internet Crime Complaint Center (IC3) tracks these transactions as a growing threat vector.

A single VPN credential for a Fortune 500 company can sell for $5,000-50,000 depending on the target's perceived value.

Detection and Defense

Indicators of Compromise

Security teams should monitor for:

• Unusual access to browser credential stores (Login Data, Cookies databases)
• Processes reading cryptocurrency wallet directories
• Outbound HTTP POST requests to unfamiliar domains
• Scheduled task creation by non-standard processes
• Discord/Telegram API calls from non-messaging applications

Protection Recommendations

Based on guidance from CISA's Shields Up initiative and NIST Cybersecurity Framework:

1. Never store passwords in browsers. Use a dedicated password manager with a master password not stored anywhere on the system.
2. Enable hardware security keys for critical accounts. FIDO2/WebAuthn authentication cannot be stolen by infostealers.
3. Use browser profiles or containers to isolate cryptocurrency activity from general browsing.
4. Maintain offline backups of cryptocurrency seed phrases. Never store seeds digitally on internet-connected devices.
5. Be skeptical of downloads. Verify software authenticity. Check URLs carefully. Avoid "cracked" software entirely.
6. Enable PowerShell logging and Sysmon for enterprise detection of stealer activity.

Why This Matters for Investigations

For investigators, RedLine logs are both a problem and an opportunity.

The problem: Criminals use stolen credentials to assume false identities, access victim accounts, and launder money through compromised infrastructure.

The opportunity: RedLine's systematized data collection creates structured intelligence. When we obtain stealer logs (from seized criminal infrastructure or breach data ingestion) we gain insight into:

• Which machines an individual has used
• What accounts they control
• Their password patterns and reuse habits
• Cryptocurrency wallets they own
• Geographic and temporal activity patterns

The CovertLabs intelligence graph ingests and correlates stealer log data at scale. When investigating a target, we can surface connections revealed by infostealer compromises, sometimes exposing aliases and assets the target themselves have forgotten about.

In the criminal ecosystem, everyone is both predator and prey. The hacker stealing your client's credentials today may themselves appear in a stealer log tomorrow. We track both.