{
	"id": "d918012a-1ffd-4122-95ab-4935ffb1be91",
	"created_at": "2026-04-06T00:18:44.469556Z",
	"updated_at": "2026-04-10T13:11:48.559083Z",
	"deleted_at": null,
	"sha1_hash": "3029e7826b5b3e1b48fdd73da64b52541e610a53",
	"title": "RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2602547,
	"plain_text": "RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware\r\nPublished: 2023-09-13 · Archived: 2026-04-02 11:05:44 UTC\r\nRansomware\r\nIn this blog, we investigate how threat actors used information-stealing malware with EV code signing certificates\r\nand later delivered ransomware payloads to its victims via the same delivery method.\r\nBy: Hitomi Kimura, Ryan Soliven, Ricardo Valdez III, Nusrath Iqra, Ryan Maglaque Sep 13, 2023 Read time: 6\r\nmin (1614 words)\r\nWe have been observing malware families RedLine and Vidar since the middle of 2022, when both were used by\r\nthreat actors to target victims via spear-phishing scams. Earlier this year, RedLine targeted the hospitality industry\r\nwith its info stealer malware.\r\nOur latest investigations show that the threat actors behind RedLine and Vidar now distribute ransomware\r\npayloads with the same delivery techniques they use to spread info stealers. This suggests that the threat actors are\r\nstreamlining operations by making their techniques multipurpose. In this particular case we investigated, the\r\nvictim initially received a piece of info stealer malware with Extended Validation (EV) code signing certificates.\r\nAfter some time, however, they started receiving ransomware payloads via the same route.  \r\nEV code signing certificates are issued to organizations that are verified to have legal and physical existence in\r\neach country. They entail an issuance process with extended identity verification compared to regular code signing\r\ncertificates, as well as private key generation where a hardware token is required.\r\nFigure 1. The info stealer sample with an EV code signing\r\nSince June of this year, the CA/Browser Forum (CABF) — a public key infrastructure (PKI) industry group —\r\nmade hardware key generation mandatory for even regular code signing certificates. This is an additional effort to\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 1 of 11\n\naddress private key protection by making it more difficult to steal private keys and certificates from computers\r\nsince they cannot be copied as software data.  \r\nDespite these additional security measures, there were over 30 EV code-signed samples used from July to August\r\n2023 related to this case. The info stealer, detected as TrojanSpy.Win32.VIDAR.SMA, was polymorphous, with\r\neach sample having a different hash. While there are other cases where threat actors have used EV certificates for\r\ntheir malware, this is the first time a single threat actor was observed with this many samples. It is currently\r\nunknown how the threat actor accessed the private key.\r\nIn a previous report, we observed that QAKBOT operators abused regular code signing certificates, most of which\r\nwere used by a single threat actor. Reviewing the certificate contents suggested that the certificates were directly\r\nissued by a certificate authority (CA) to a threat actor impersonating the victim companies. In the case of RedLine\r\nand Vidar, we can assume that that the threat actor who code-signed the EV certificate possibly owns the hard\r\ntoken itself or has access to the host that the hard token is connected.\r\nCertificates used for signing malicious modules can be revoked by reports from security researchers that result in\r\ninvalidating their respective code signing. Code signing using X.509 certificates allows the setting of a\r\n“revocation date” that only invalidates modules signed after the specified revocation date. This is to protect the\r\nvalidity of code signing for modules signed before the private key was compromised.\r\nIn the case we investigated, the code signing of the info stealer was not invalidated because the revocation date\r\nwas set on August 3, the date we reported the abuse rather than the sample's signing date. The malware sample\r\nwas signed on July 17, earlier than the revocation date set, and thus continued to have a valid signature\r\nverification. \r\nWe contacted the CA to explain that the certificate should be revoked using the issuance date as the revocation\r\ndate instead so that all code signing using that certificate is invalidated. The certificate was then processed with\r\nMarch 21 as the revocation date, and all public observed sample signatures beyond March 21 were invalidated.\r\nNotably, ineffective revocation date setting is a problem that has been reported in past research papers.\r\nThe certificate we investigated had the serial number 5927C49718E319C84A7253F7DEB1A420, and in the\r\nfollowing image we can see that the revocation date on the certificate revocation list (CRL) was updated from\r\nAugust 3 to March 21.\r\nFigure 2. The revocation date on the CRL was updated from August 3 to March 21.\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 2 of 11\n\nFigure 3. The infection chain of the piece of info stealer malware used by RedLine and Vidar\r\nMalicious actors behind RedLine and Vidar use classic and well-worn techniques to lure victims to run malicious\r\nfiles: \r\nThey use phrases in spear-phishing emails that call for action and invoke a sense of urgency on topics\r\nrelated to health and hotel accommodations.\r\n \r\nThey use double extensions to trick users into thinking that the files they are executing are .pdf or .jpg files\r\nrather than .exe files that jump-start the infection when they are run. They also take advantage of regular\r\nusers whose view might typically hide the extension, resulting in them failing to notice that the file they are\r\nexecuting is in face an EXE file.\r\n \r\nThey use LNK files that contain the command to execute the malicious file to help bypass detection.\r\n \r\nDespite Google Drive’s built-in protocols, which automatically evaluate files to guard systems against\r\nmalware, malicious actors manage to transfer malicious files through the file storage service.\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 3 of 11\n\nFigure 4. The infection chain that delivered a ransomware payload through the same delivery\r\nmethod used for RedLine and Vidar’s info stealer malware\r\nIn the case we investigated, the victim had initially been getting info stealer malware from a series of campaigns\r\naround July 10 this year. On August 9, they received a ransomware payload after being tricked into downloading\r\nand opening a fake TripAdvisor complaint email attachment. The attachment used a double file extension\r\n(.pdf.htm) to masquerade itself as a benign .pdf file and conceal the actual .htm payload.  \r\nFigure 5. The “TripAdvisor-Complaint.pdf.htm” file\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 4 of 11\n\nFigure 6. User downloading the spear-phishing attachment, as seen on the Trend Vision One™\r\nWorkbench\r\nUpon opening the attachment and selecting “Read Complaint,” the user then unknowingly executed the following\r\nJavaScript files from samuelelena[.]co:\r\nhxxps://samuelelena[.]co/npm/module.external/jquery.min.js \r\nhxxps://samuelelena[.]co/npm/module.external/moment.min.js \r\nhxxps://samuelelena[.]co/npm/module.external/client.min.js \r\nhxxps://samuelelena[.]co/npm/module.tripadvisor/module.tripadvisor.js\r\nFigure 7. The contents of “TripAdvisor-Complaint.PDF.htm”\r\nThis subsequently downloaded and executed TripAdvisor Complaint-Possible Suspension.exe. A different version,\r\nspotted and analyzed by BleepingComputernews article, downloads an Excel XLL file when the \"Read\r\nComplaint\" button is selected. This XLL file is created using Excel-DNA, which integrates .NET into Microsoft\r\nExcel to execute the malware when it is opened.\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 5 of 11\n\nFigure 8. The subsequent download and execution of “TripAdvisor Complaint-Possible\r\nSuspension.exe”\r\nThe file TripAdvisor Complaint-Possible Suspension.exe connected to the following URLs:\r\nhxxps://doi[.]org (governs the Digital Object Identifier systems)\r\nhxxps://i.ibb[.]co/Gp95Qcw/2286401330.png (image hosting site)\r\nContents of the 2286401330.png file were read and transformed into an encrypted shellcode that was saved as:\r\nC:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\KYMRCRHEVFUJGZHWNKKD\\YUUUBCFJVYCNCBMABZLBL\r\nFigure 9. The “2286401330.png” file\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 6 of 11\n\nFigure 10. Shellcode “YUUUBCFJVYCNCBMABZLBL”\r\nAfterward, the encrypted shellcode was decrypted to generate another shellcode, saved as follows:\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\70685a9e\r\nFigure 11. The outbound connection to “hxxps://i.ibb[.]co/Gp95Qcw/2286401330.png” leading to\r\nthe creation of shellcode “70685a9e”\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 7 of 11\n\nFigure 12. Shellcode “70685a9e”\r\nFollowing this, TripAdvisor Complaint-Possible Suspension.exe spawned cmd.exe, where the second decrypted\r\nshellcode 70685a9e was injected. After this, cmd.exe dropped a legitimate 7-Zip standalone console application\r\nrgb9rast.exe in %temp% and launched it as follows:\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\rgb9rast.exe\r\nFigure 13. Process injection to “rgb9gast.exe”\r\nEventually, the ransomware payload detected as Ransom.Win64.CYCLOPS.A was injected into rgb9rast.exe. We\r\nobserved rgb9gast.exe dropping the ransom note, encrypting files with a .knight_l extension, and performing an\r\noutbound Server Message Block (SMB) connection to encrypt files on the network. \r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 8 of 11\n\nFigure 14. Encryption using the “.knight_l” extension and outbound SMB connection to encrypt\r\nother files on the network\r\nWe observed that the threat actors also use the following file names for their malicious files. The samples of the\r\nfollowing files were found to have EV code signing:  \r\nAdditional information about the reservation.exe\r\ndoctor's opinion.exe\r\nDoctor's recommendations.exe\r\nThe threat actors also use the following file names for their malicious files without EV code signing:\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 9 of 11\n\nAdditional informatoin about the reservation.exe (The spelling “informatoin” instead of “information” is as\r\nthe file name reads.)\r\nTripAdvisor Complaint - Possible Suspension.exe ransomware\r\nThey also used the following double extensions:\r\nAdditional information about the reservation.jpg.exe\r\nAdditional information about the reservation.pdf.exe \r\ncleaning products recommendations.pdf.exe \r\ndoctor's opinion.pdf.exe \r\ndoctor's opinion.pdf.exe.exe\r\nDoctor's recommendations.pdf.exe\r\nRequests.pdf.exe\r\nrequests.pdf.exe\r\nCommon delivery methods for the ransomware payload observed include the following paths:\r\nC:\\Users\\[user]\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\AHYEW8U2\\TripAdvisor-Complaint-Lcn5en.PDF.htm\r\nC:\\Users\\ [user] \\AppData\\Local\\Temp\\gigiduru.PDF.htm\r\nC:\\Users\\ [user]\r\n\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\MNV4PEH3\\TripAdvisor-Complaint-9dyl66.PDF.htm\r\nC:\\Users\\ [user] \\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\J53L41BP\\TripAdvisor-Complaint-1uy8dx.PDF.htm\r\nConclusion\r\nDespite more stringent security measures implemented by the CABF, threat actors are still able to propagate\r\ninformation-stealing malware code-signed with EV certificates that should ideally already have a strong issuance\r\nprocess and secure private key protection. Revoking abused certificates with compromised private keys should\r\nalso be thoroughly investigated to ensure that adjustments to revocation dates made by CAs cover all instances of\r\nuse on malicious files.\r\nAt this point, it is worth noting that unlike the samples of the info stealer we investigated, the files used to drop\r\nthe ransomware payload did not have EV certificates. However, the two originate from the same threat actor and\r\nare spread using the same delivery method. We can therefore assume a division of labor between the payload\r\nprovider and the operators.\r\nUsers who have encountered info stealers are advised to be cautious against ransomware, as our findings suggest\r\nthat threat actors are becoming more efficient in maximizing their techniques for different purposes and\r\ncybercrimes.  \r\nOur investigations in this entry underline the importance of configuring and updating attack surface protections\r\nthat remove malicious items before they even reach users. Organizations are recommended to “shift left” — take\r\nsteps earlier in the threat life cycle to prevent attacks and implement measures to detect breaches before they cause\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 10 of 11\n\nextensive harm. In the case of ransomware attacks, early detection and mitigation can prevent threat actors from\r\nharvesting enough information that that they can leverage for a ransomware attack. Users should also avoid or\r\nrefrain from downloading files, programs, and software from unverified sources and websites and install a\r\nmultilayered protection system for their individual and enterprise systems.\r\nIndicators of Compromise (IOCs)\r\nGet the list of IOCs here.  \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nhttps://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html"
	],
	"report_names": [
		"redline-vidar-first-abuses-ev-certificates.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434724,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3029e7826b5b3e1b48fdd73da64b52541e610a53.pdf",
		"text": "https://archive.orkl.eu/3029e7826b5b3e1b48fdd73da64b52541e610a53.txt",
		"img": "https://archive.orkl.eu/3029e7826b5b3e1b48fdd73da64b52541e610a53.jpg"
	}
}