{ "id": "06166166-e46c-4cf5-b132-7390bac15d3d", "created_at": "2026-04-06T00:18:16.723602Z", "updated_at": "2026-04-10T13:12:04.851413Z", "deleted_at": null, "sha1_hash": "29b3370e7eb44921410082f009e57e0a40a51f2c", "title": "RedLine Stealer Malware - Password Stealer Virus | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2197238, "plain_text": "RedLine Stealer Malware - Password Stealer Virus | Proofpoint US\r\nBy March 16, 2020 Jeremy H, Axel F and Proofpoint Threat Insight Team\r\nPublished: 2020-03-16 · Archived: 2026-04-05 14:47:23 UTC\r\nIn early March 2020, Proofpoint researchers observed an email campaign attempting to deliver a previously\r\nunknown malware which the malware author calls RedLine Stealer. This name (not to be confused with the\r\nFireEye tool “Redline”) can be seen in the forum advertisements, code comments, and command and control\r\n(C\u0026C) panel.\r\nThe emails in this password stealer campaign abused the Folding@home brand, which is a distributed computing\r\nproject for disease research, while also asking the recipient to help find a coronavirus cure. This campaign\r\nprimarily targeted healthcare and manufacturing industries in the United States.\r\nThe RedLine password stealer virus is new malware available for sale on Russian underground forums with\r\nseveral pricing options: $150 lite version; $200 pro version; $100 / month subscription option. It steals\r\ninformation from browsers such as login, autocomplete, passwords, and credit cards. It also collects information\r\nabout the user and their system such as the username, their location, hardware configuration, and installed security\r\nsoftware. A recent update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets.\r\nRedLine Stealer is written in C#. While not particularly sophisticated, we were surprised by the high quality and\r\nreadability of the code. Notably with its proper use of delegates, class inheritance, and data models along with\r\nusing SOAP for its C\u0026C channel. This indicates a moderate-to-high level of experience with the .NET\r\nprogramming language from the developer. RedLine Stealer also appears to be under active development as\r\nshown by the recent introduction of new features.\r\nRedline Password Stealer Malware Delivery Analysis\r\nOn March 7, 2020, Proofpoint researchers observed an email campaign consisting of thousands of messages and\r\nattempting to deliver RedLine Stealer via a URL in the email messages. The campaign targeted primarily the\r\nUnited States. Recipients were in many different industries but the top affected were healthcare and\r\nmanufacturing.\r\nEmails were sent from “Shannon Wilson \u003cshannon@litegait[.]com\u003e” with the subject “Please help us with\r\nFighting corona-virus”. These emails purported to come from \"Mobility Research Inc\" and implored recipients to\r\nhelp find a cure to coronavirus by participating in their program \"Folding@Thome\".\r\n“Folding@Thome” (notice the extra “T”) is a spoof of a legitimate distributed computing project\r\nFolding@home. In this project, similar to SETI@home, participants are asked to help by donating their computing\r\npower through the use of an application that does processing on behalf of the organization. According to\r\nFolding@home, participants are donating their computing power “for disease research that simulates protein\r\nfolding, computational drug design, and other types of molecular dynamics.”\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 1 of 11\n\nParticipants in the legitimate Folding@home project download the official application from their website. In this\r\nmalicious email campaign, recipients are encouraged to download the application via a link in the email.\r\nAfter clicking the link, the user is redirected to the malware executable hosted on BitBucket. Figure 1 shows a\r\nsample of the malicious email. \r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 2 of 11\n\nFigure 1 Malicious Spoofed Folding@home Email with link to malware\r\nBecause Folding@home participants need to install an application on their system to help the project, the use of\r\nthis as a lure is particularly clever by the attackers, as recipients who want to help with coronavirus research may\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 3 of 11\n\nnot find the downloading and installation of an application unusual or unexpected.\r\nRedLine Stealer for Sale\r\nWe found “for sale” advertisements for RedLine Stealer on several forums (one as early as Feb 20, 2020). Some\r\nappear to be from an official seller with several pricing options ($100 / month subscription; $150 lite version;\r\n$200 pro version), while some appear to be a cracked version (selling for $300). The official advertisement is as\r\nfollows, translated from Russian:\r\n*********************************************************\r\nStealer functionality:\r\nCollects from browsers:\r\nLogin and passwords\r\nCookies\r\nAutocomplete fields\r\nCredit cards\r\nSupported browsers:\r\nAll browsers based on Chromium (even latest version of Chrome)\r\nAll Gecko-based browsers (Mozilla, etc.)\r\nData collection from FTP clients, IM clients\r\nFile-grabber customizable by Path, Extension, Search-in-subfolders (can be configured for the necessary\r\ncold wallets, Steam, etc.)\r\nSettings by country. Setting up a blacklist of countries where the build will not work\r\nSettings for anti-duplicate logs in the panel\r\nCollects information about the victim's system: IP, country, city, current username, HWID, keyboard\r\nlayout, screenshot, screen resolution, operating system, UAC Settings, is the current build running with\r\nadministrator privileges, User-Agent, information about PC hardware (video cards, processors), installed\r\nantiviruses\r\nPerforming tasks:\r\nDownload - download a file from link to the specified path\r\nRunPE - injection of a 32-bit file downloaded from link into another file \r\nDownloadAndEx - download a file from link to the specified path with subsequent launch\r\nOpenLink - open a link in the default browser\r\n*********************************************************\r\nAlso, on March 4, the seller advertised an update that added stealing of cryptocurrency cold wallets.\r\nThe C\u0026C panel is a GUI program installed on a dedicated Windows server, not as a web panel. Specifically, the\r\npanel operates as a WSDL application which responds to configured SOAP APIs to interact with the client\r\nmalware sample. The panel has typical functionality for controlling malware like this including displaying,\r\nsorting, exporting, commenting, searching logs, creating downloads, running tasks. The panel boasts having\r\nconvenient features for log sellers such as exporting logs for a list of websites.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 4 of 11\n\nIn Figure 2 you can see the Loader Tasks panel where actions such as “Download”, “RunPE”, “DownloadAndEx”,\r\n“OpenLink” can be specified.\r\nFigure 2 C\u0026C panel showing the Loader Tasks\r\nIn Figure 3 you can see the Settings panel where options such as for log collection can be specified.\r\nFigure 3 C\u0026C panel showing Settings\r\nIn Figure 4 you can see the logs panel where a summary of the stolen information is displayed.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 5 of 11\n\nFigure 4 C\u0026C panel showing Logs\r\nMalware Analysis\r\nProofpoint researchers have confirmed all functionality described in the forum advertisements. RedLine is a\r\nstealer that supports FTP (such as FileZilla, WinSCP), IM clients (such as Pidgin), crypto-currency wallets, and\r\nbrowser cookies/settings. It also reports back a range of information about the system and can perform additional\r\ntasks such as downloading and running payloads.\r\nIn addition to the features listed above, there were some additional points that we found interesting:\r\nPanel is a WSDL service\r\nClient configuration is supplied (and updatable) from C\u0026C\r\nC\u0026C communications use SOAP over HTTP\r\nFigure 5 through Figure 8 below show code samples from RedLine.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 6 of 11\n\nFigure 5 Showing the list of classes and the “main”\r\nFigure 6 Enumeration of credit cards for the Chromium-based browsers\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 7 of 11\n\nFigure 7 Code for RunPE, injection of a file downloaded from a URL into another file\r\nFigure 8 Model for stealer settings from C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 8 of 11\n\nIn Figure 9 you can see an example of the network traffic generated by the stealer. Specifically, in this traffic the\r\nC\u0026C configures the client settings (GrabBrowsers, GrabFTP, etc) via SOAP protocol (over HTTP).\r\nFigure 9 Network traffic from the C\u0026C to configure the client settings\r\nConclusion\r\nRedLine Password Stealer virus, a new previously undocumented malware has appeared in a new email campaign\r\naimed at U.S. healthcare and manufacturing organizations. It already has many of the standard information stealer\r\nfeatures, as well as additional features such as downloading secondary payloads and advanced filtering features.\r\nThe developer appears to be actively working on and updating the malware.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 9 of 11\n\nThis specific password stealer campaign used COVID-19 and Folding@home lures to make downloading this\r\napplication seem plausible. We are currently observing many other actors trying COVID-19 email lures for a\r\nvariety of nefarious purposes such as attempting to deliver malware, phishing, business email compromise, and\r\nspam.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhxxps://bitbucket[.]org/example123321/download/downloads/foldingathomeapp.exe URL\r\nURL\r\nhosting\r\nRedLine\r\nStealer\r\n0ddd7d646dfb1a2220c5b3827c8190f7ab8d7398bbc2c612a34846a0d38fb32b SHA256\r\nRedLine\r\nStealer\r\nPayload\r\n5df956f08d6ad0559efcdb7b7a59b2f3b95dee9e2aa6b76602c46e2aba855eff SHA256\r\nRedLine\r\nStealer\r\nPayload\r\n66.206.18[.]186 IP\r\nRedLine\r\nStealer C2\r\nET and ETPRO Suricata/Snort Coverage\r\n2841160 - ETPRO TROJAN RedLine - CnC Activity\r\n2841435 - ETPRO TROJAN RedLine - GetSettings Request\r\n2841436 - ETPRO TROJAN RedLine - GetSettings Response\r\n2841437 - ETPRO TROJAN RedLine - GetTasks Response\r\nIs your organization protected from Malware threats? Learn about Malware Attacks \u0026 Protection.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 10 of 11\n\nSource: https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nPage 11 of 11\n\n https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign \nFigure 5 Showing the list of classes and the “main” \nFigure 6 Enumeration of credit cards for the Chromium-based browsers\n Page 7 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign" ], "report_names": [ "new-redline-stealer-distributed-using-coronavirus-themed-email-campaign" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434696, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29b3370e7eb44921410082f009e57e0a40a51f2c.pdf", "text": "https://archive.orkl.eu/29b3370e7eb44921410082f009e57e0a40a51f2c.txt", "img": "https://archive.orkl.eu/29b3370e7eb44921410082f009e57e0a40a51f2c.jpg" } }