{ "id": "ec293126-ade5-4ddc-99bd-95d16c4c8001", "created_at": "2026-04-06T02:12:26.102598Z", "updated_at": "2026-04-10T03:28:46.91112Z", "deleted_at": null, "sha1_hash": "00b06d1bd92d91c7d02a0f233d5a894cfdf0ea8c", "title": "RedLine Stealer Campaign Using Binance Mystery Box Videos to Spread GitHub-Hosted Payload", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 675282, "plain_text": "RedLine Stealer Campaign Using Binance Mystery Box Videos to\r\nSpread GitHub-Hosted Payload\r\nBy Gustavo Palazolo\r\nPublished: 2022-05-12 · Archived: 2026-04-06 01:35:45 UTC\r\nSummary\r\nRedLine Stealer is a malware that emerged in 2020, discovered in underground forums being sold in different\r\nplans, starting from $100 per month. The malware offers many capabilities for device reconnaissance, remote\r\ncontrol, and information stealing, including:\r\nData from browsers (e.g. login, passwords, credit cards, cookies, etc.);\r\nData from Discord and Telegram (e.g. chat logs, tokens, etc.);\r\nVPN and FTP Credentials;\r\nSince its discovery, attackers have used many different vectors to spread this stealer, including through fake\r\ninstallers and fake game hacking tools. Also, RedLine Stealer was found in compromised devices by the DEV-0537 hacking group (a.k.a. lapsus$).\r\nIn April 2022, Netskope Threat Labs identified a new RedLine Stealer campaign spread on YouTube, using a fake\r\nbot to buy Mystery Box NFT from Binance. The video description leads the victim to download the fake bot,\r\nwhich is hosted on GitHub.\r\nIn this blog post, we will analyze this campaign, showing how it’s being spread and how the fake bot leads to\r\nRedLine Stealer.\r\nYouTube Videos\r\nThe malware is spread through YouTube videos that lure victims into downloading a fake bot to automatically buy\r\nBinance NFT Mystery Boxes. At this point, we found five videos across multiple channels that are part of the\r\nsame campaign. All the URLs can be found in our GitHub repository.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 1 of 26\n\nAttacker spreading RedLine through YouTube video.\r\nThe video description provides details and the download link for the fake bot, which is supposed to be presented\r\nas a Chrome extension.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 2 of 26\n\nVideo description with the link to download the fake bot.\r\nThe video description also contains different tags, probably to increase its visibility, including:\r\nbinance, nft, bot, buy, mysterybox, box, busd, autobuy, cryptobot, binance, bitcoin, crypto trading bot,\r\ncryptocurrency, binance trading bot, binance trade bot, bitcoin trading bot, btc, bot, binance bot trading, nance\r\ngrid trading, bnb, binance nft, bot for binance, binance trading tutorial\r\nStage 01 – Loader\r\nAll the videos we found are pointing to the same GitHub URL, downloading a file named “BinanceNFT.bot\r\nv.1.3.zip”.\r\nOnce we decompress the ZIP file, we have the packed RedLine sample (“BinanceNFT.bot v.1.3.exe”) and a\r\nMicrosoft Visual C++ Redistributable installer (“VC_redist.x86.exe”).\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 3 of 26\n\nDecompressed ZIP file downloaded from GitHub.\r\nThe “README.txt” file contains the instructions that should be followed to run the fake NFT bot, including\r\ninstalling the Microsoft Visual C++. This is probably needed as RedLine is developed in .NET and it is also\r\nunpacked and injected into an executable from this framework.\r\nReadme file.\r\nThe first stage was likely compiled on April 5, 2022, and it’s responsible for decrypting and loading RedLine\r\nStealer into another process.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 4 of 26\n\nDetails of the packed RedLine Stealer sample.\r\nThe binary details also include values that seem to be copied from another executable, using\r\n“LauncherPatcher.exe” as the original filename.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 5 of 26\n\nFurther details about the first stage.\r\nMany malware families use a trick to delay the execution of its functions, often to delay the execution inside\r\nsandboxes, which usually contain limited time of operation. As a result, there are sandboxes that are able to bypass\r\nthis technique, by patching or hooking Sleep functions, for example. \r\nThis RedLine Stealer loader contains a simple trick to evade sandboxes with such functionality. Upon execution, it\r\ntries to delay the execution by 15 seconds and compares the timestamp (GetTickCount) before and after the Sleep\r\nAPI execution. If the elapsed time is less than 15 seconds, it exits the process.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 6 of 26\n\nTrick to evade sandbox analysis.\r\nThis can be tested by patching the Sleep function in a debugger.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 7 of 26\n\nRedLine loader exiting the process if the Sleep function is bypassed.\r\nIf the sandbox is not detected through this simple trick, it then decrypts the next stage using a simple rolling XOR\r\nalgorithm with “OdoAAtK” as the key.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 8 of 26\n\nLoader decrypting RedLine Stealer payload.\r\nThen, it executes a shellcode, which is decrypted using the same algorithm.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 9 of 26\n\nLoader decrypting and executing a shellcode.\r\nAnd finally, the payload is injected to “RegSvcs.exe” using a simple process injection technique, similar to\r\nRunPE. We also found cases where a similar loader injects RedLine Stealer into “AppLaunch.exe”, as we will\r\ndescribe later.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 10 of 26\n\nLoader injecting unpacked RedLine Stealer into another process.\r\nStage 02 – Payload\r\nRedLine Stealer is developed in .NET, and the compilation timestamp was altered in the binary, showing a date\r\nfrom the year 2102. Formbook was also using altered timestamp dates in its payloads, which is a common\r\nbehavior for malware authors to deceive analysts/researchers. \r\nFortunately, RedLine Stealer uses a very nonsense date, which can be used for detection in Yara rules, for\r\nexample.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 11 of 26\n\nRedLine Stealer payload details.\r\nOnce executed, the infostealer calls a function named “Check”. If this function returns true, the malware exits its\r\nprocess.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 12 of 26\n\nRedLine Stealer “Check” function.\r\nIn summary, this function verifies if the malware is running in blocklisted countries, by comparing the country\r\nname with the OS region information.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 13 of 26\n\nThis malware does not execute if any of these countries is detected:\r\nArmenia\r\nAzerbaijan\r\nBelarus\r\nKazakhstan\r\nKyrgyzstan\r\nMoldova\r\nRussia\r\nTajikistan\r\nUkraine\r\nUzbekistan\r\nWe tested this by changing the OS language to Ukrainian. The malware uses the field “EnglishName” from the\r\n.NET RegionInfo Class to compare with the blocklist.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 14 of 26\n\nRedLine Stealer exits the process if a blocklisted country is found.\r\nRedLine Stealer maintains a simple configuration, where the values are base64 encoded and encrypted with a\r\nrolling XOR algorithm.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 15 of 26\n\nRedLine Stealer configuration.\r\nThe decryption key used by this sample is “Wombles”, and we can use a simple Python script to retrieve the C2\r\naddress value:\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 16 of 26\n\nDecrypting RedLine Stealer C2 address.\r\nThe “ID” value also uses the same algorithm:\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 17 of 26\n\nDecrypting RedLine Stealer ID.\r\nAs previously mentioned, RedLine Stealer offers many capabilities to the attacker, including stealing Discord\r\ntokens.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 18 of 26\n\nRedLine Stealer function that reads Discord tokens.\r\nMore Files From the Same Campaign\r\nLooking at the GitHub account (“NFTSupp”) that owns the repository where the file linked on the YouTube\r\nvideos is hosted, we can see that the activities started in March, 2022.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 19 of 26\n\nGitHub account and repository hosting RedLine Stealer.\r\nAside from the files we analyzed in this blog post contained within “BinanceNFT.bot v.1.3.zip”, there are 15\r\nadditional compressed files hosted in the same repository (“NFTBOT”), where two of them are password\r\nprotected (“45.rar” and “Upload.Openbot.rar”).\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 20 of 26\n\nCompressed files within the same repository.\r\nWithin these compressed files, we found five distinct RedLine Stealer loaders.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 21 of 26\n\nDifferent RedLine Stealer loaders in the same repository.\r\nAll five loaders we analyzed are slightly different, but they all unpack and inject RedLine Stealer in a similar way,\r\nas we described earlier in this analysis. The oldest sample we found was likely compiled on March 11, 2022 and\r\nthe newest one on April 7, 2022.\r\nFurthermore, two out of five files are digitally signed, which may bypass some antivirus engines. The first one\r\nseems to be using a signature from “NordVPN S.A.”\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 22 of 26\n\nRedLine Stealer digitally signed.\r\nAnd the second is signed for “EasyAntiCheat Oy”.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 23 of 26\n\nRedLine Stealer digitally signed.\r\nAlso, one of the loaders is injecting the payload into “AppLaunch.exe” instead of “RegSvcs.exe”.\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 24 of 26\n\nRedLine Stealer being injected into AppLaunch process.\r\nWe found four distinct RedLine Stealer payloads from these five loaders, which are all sharing the same C2\r\naddress.\r\nConclusions\r\nAlthough RedLine Stealer is a low-cost malware, it offers many capabilities that could cause serious damage to its\r\nvictims, such as the loss of sensitive data. RedLine Stealer was already known for abusing YouTube videos to\r\nspread through fake themes, however, we saw in this campaign that the attacker is also abusing GitHub in the\r\nattack flow, to host the payloads. \r\nProtection\r\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads. \r\nNetskope Threat Protection\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 25 of 26\n\nWin32.Trojan.RedLineStealer\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nIOCs\r\nAll the IOCs related to this campaign and the Yara rules can be found in our GitHub repository.\r\nSource: https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nhttps://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload\r\nPage 26 of 26\n\n https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload \nLoader decrypting RedLine Stealer payload. \nThen, it executes a shellcode, which is decrypted using the same algorithm.\n Page 9 of 26\n\n https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload \nRedLine Stealer digitally signed. \nAlso, one of the loaders is injecting the payload into “AppLaunch.exe” instead of “RegSvcs.exe”.\n Page 24 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload" ], "report_names": [ "redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441546, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00b06d1bd92d91c7d02a0f233d5a894cfdf0ea8c.pdf", "text": "https://archive.orkl.eu/00b06d1bd92d91c7d02a0f233d5a894cfdf0ea8c.txt", "img": "https://archive.orkl.eu/00b06d1bd92d91c7d02a0f233d5a894cfdf0ea8c.jpg" } }