{ "id": "ae5c863f-03fa-4201-8333-d89aa9840f81", "created_at": "2026-04-06T00:07:25.879262Z", "updated_at": "2026-04-10T13:11:18.318544Z", "deleted_at": null, "sha1_hash": "392ff550487f9e2e04615ce2e2e656a39c67efac", "title": "Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 782778, "plain_text": "Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat\r\nArchived: 2026-04-05 13:51:24 UTC\r\nMultiple New Campaigns in 2023 Demonstrate The Malware Family Has Been\r\nRedeveloped to Remain a Popular And Prominent Threat\r\nEclecticIQ analysts observe the malware family targeting financial information to be used for immediate gain as well as\r\nreconnaissance functions to perform initial information gathering and establish persistence. RedLine stealer is almost always\r\naccompanied by other malware; either preceded by a loader to install it or succeeded by further malware. \r\nIn the last major iteration of RedLine stealer in 2022, variants were almost always configured to rely on exploit kits for\r\ninfection. At some point in 2022 infections saw a relative break in traffic as developers retooled, but in 2023 the malware\r\nhas re-emerged as a prominent threat and is now reliant on other malware to act as the loader. [1] Most recently, Trend\r\nMicro identified a campaign that leveraged trojanized large-language model software to trick users into installing RedLine.\r\n[2]\r\nCampaign variants emerge in VirusTotal starting the last week of April. [3] Samples very likely undergo initial testing in late\r\nApril. This is supported by evidence from command and control infrastructure, discussed below. A small initial cluster of\r\nRedLine peaks approximately mid-July before tapering off significantly by the beginning of August. Sample volume then\r\nresumes in higher volume the second week of August.\r\nFigure 1 - Redline sample volumes collected through VirusTotal\r\n(click on image to open in separate tab).\r\n \r\nWMI Abuse Continues to Provide Core Information Gathering Capabilities \r\nhttps://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat\r\nPage 1 of 7\n\nNotable capabilities within the Kill-Chain that are shared by these variants include:\r\n-    Code obfuscation using XOR and RC4 algorithms and future timestamps to bypass security systems.\r\n-    The use of registry keys via modification to establish persistence. \r\n-    WMI to drive local system queries and fingerprinting.\r\n-    The ability to delete files the malware creates to help conceal cyberattacks.\r\nThe first three capabilities were present in previous reporting by security researchers. [4] New variants use a new code\r\nobfuscation tactic; using XOR and RC4 encryption for payloads. PowerShell modules present in previous campaigns are\r\nabsent in these versions of Redline stealer. [3, 4]\r\nFigure 2 - The variants analyzed do not invoke PowerShell, but continue to\r\nleverage Windows Management Instrumentation heavily for core\r\ninformation gathering capabilities from local systems.\r\nVariants analyzed are capable of targeting browsers; Firefox, Edge, Chrome, Iridium, Cent, Coowon, and Brave. Other\r\nbrowsers are not targeted; previous versions targeted many more browsers and crypto wallets [4] It also logs keystrokes,\r\ntargets Coinomi crypto-wallets, and provides thorough fingerprinting of the local system.\r\nFigure 3 - Variants configured to access Coinomi wallets.\r\nCommand and Control Infrastructure Leverages New Domains to Circumvent a Majority\r\nof Blacklists\r\nInfrastructure located in Austria and Finland are involved in this campaign. One Finland-based IP address 77.91.68.141, one\r\nAustrian IP address 78.153.130.209 serve as the primary command and control nodes. The malware is served from recently\r\nregistered domains that are marked malicious, but hosted on IP addresses with other domains and legitimate traffic; a very\r\ncommon technique among threat actors.\r\nhttps://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat\r\nPage 2 of 7\n\nFigure 4 – A partial representation of this campaign in EclecticIQ\r\nThreat Intelligence Center. In this case the variants all share TTPs,\r\nto which security response and mitigation can be best directed. \r\nThe earliest IP address tracked is the Finnish IP. It is registered to STARK INDUSTRIES. The ASN is registered to a “Daniil\r\nYevchenko” and includes further Ukrainian-based registration information. The current domain hosted on that IP address,\r\n“hosted-by.yeezyhost.net” was created in late 2022 and is used by RedLine Stealer variants analyzed. The IP address is\r\nmarked clean by all antivirus vendors. Only a handful of service providers currently recognizes the IP address as malicious.\r\nFigure 5 - The current infrastructure arrangement likely helps\r\nthis RedLine Stealer campaign increase success. \r\nThe IP address hosts 40 unrelated domains. A snapshot of the first 10 below shows they are mostly legitimate and spam\r\ndomains (obtained from dnslytics.com).\r\n \r\nhttps://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat\r\nPage 3 of 7\n\nFigure 6 – An example of 10 domains (of 40) currently hosted. \r\nPassive DNS records indicate the campaign likely began April 17. The IP address was associated with the following\r\ndomains beginning April 17. These were also detected in RedLine Stealer variants. These domains on the IP address have all\r\nbeen registered malicious by multiple AV vendors at some point since April and were very likely used in this campaign:\r\nleatherupcorp.com\r\nkvk-blank-login.mediainsightsgroup.com\r\nmediainsightsgroup.com\r\ngrantallarddata.com\r\nSamples Share Meta Data Information\r\nA notable feature shared by all variants identified in this campaign includes the same copyright, description, and comments\r\nwithin their metadata. The copyright is linked to an actual copyright associated to a Malaysian biotech company that\r\nrecently joined a large consortium of regional biotech partners. [5, 6]\r\n  \r\nFigure 7 - File metadata shared between samples includes copyright,\r\ndescription, similar naming themes, file version, and comments.\r\nThe latest variants have been automated via botnets, indicating that a larger campaign is likely underway. The botnet\r\nauthorization module was absent from versions prior to August.\r\nhttps://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat\r\nPage 4 of 7\n\nFigure 8 - Botnet automation present in the latest samples. The\r\nlocalhost name, authorization token, and botnet (Hekkimarue).\r\nConclusion and Mitigation\r\nRedline stealer, a popular threat to a variety of organizations, continues to make minor changes to remain a successful and\r\nprominent low-barrier-to-entry threat. In lieu of major development changes, latest variants exclude PowerShell, possibly to\r\nreduce the malware’s footprint and automate via social media botnets. Command and control relies on new rapidly changing\r\ninfrastructure that is difficult to mitigate by blocking indicators of compromise. Focusing on core malware development\r\npatterns - the use of WMI in this case - and successfully blocking malicious attempts through application whitelisting and\r\nprocess monitoring provide the best way to apply security resources to this and other malware.\r\nIndicator of compromise (IoC)\r\nHashes:\r\n27e778497f153a8939069c654af632f5bf322e6cc4da39555c818f6e67411782\r\nbf5677548650d278fad6f14ad8b20e4ad4e6a87cf4fe83a47aa5b367f30a3690\r\na476c972a0ca5ccce58f67b0a51dbde50c915eab506fb1d843e7897f7e785f5e\r\n5561161c347a961a767d0e6994cc89bc831b538e29c508893f9af6bb4678655c\r\nd19dec6cd95aadc361f4c3811b989775a7bf8630c33e455844ae48d8ffcf8a39\r\n06e1920cf81b2106cce759969b30d5ab5e93218c4abfe682e7be2ac11b47726f\r\n0095a2ddc9363c91fc497296555de15fbbc6aeec81e731e0683fc2fca0fd3b06\r\na951ad91cc7bf9e7507f9ac1c2ff3c2fb80303e5343b87fee1b205233693e6ba\r\nfac496334114561f6f21874bdc003325cba7821c4a294d0ad3a5c23f94a29300\r\n65b00004c90c3d177d400cc52e13c20b489903db211fb91b8216e5fb23d86859\r\n794096f8342c3352f4eb5642acb38241b688608f2026501e1430a70e759fb551\r\ne62ab85547fdf2abe5936b39003db1e5ed3c9b42f35420fac7ea32b3387a0849\r\n32675603ae94c027f4da61496f5e80994a933ae69f51b86c1ce0a8d38672c114\r\nee37878cc2395bd8872e1d5531b374ddd3da459aaa0e63f74b4c34aa7c7d63dc\r\n4fced2922b13b4a7a9d22ac8c3f78b805ec44e9942e21c8368b45dd092dc1543\r\na686e9cdf9cc60cc08b5da9e50dd5124f4295f81e5f91222ae77184e190b29f6\r\n7c1666b33638dec6ab6a915dd701a1b6025f2b05d32bad9034f5da4622821b65\r\n07e889ad34a429f3295011d92258f5d43a6e015eeb072695fc81535f82b460c1\r\ncc9625b8d0c1d5e1e04f293737eec2403a7aa8b496abfbfe4421c16de28bcd25\r\ndaa609470c4914536118a028e1ebc237fd0b623c776263538cdeaafd57da6068\r\nIP Addresses:\r\n13.107.21.200\r\n77.91.124.251\r\n78.153.130.209\r\nMitre ATT\u0026CK Tactics And Techniques Associated to This Collection\r\nTA0002-Execution                    \r\nNative API                                             T1106\r\nShared Modules                                    T1129\r\nTA0003-Persistence\r\nCreate or Modify System Process           T1543\r\nWindows Service                                   T1543.003\r\nRegistry Run Keys / Startup Folder         T1547.001\r\nTA0004-Privilege Escalation\r\nAccess Token Manipulation                   T1134\r\nhttps://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat\r\nPage 5 of 7\n\nCreate or Modify System Process           T1543\r\nWindows Service                                   T1543.003\r\nBypass User Account Control                 T1548.002\r\nTA0005-Defense Evasion\r\nMasquerading                                      T1036\r\nIndicator Removal                                 T1070\r\nTimestomp                                           T1070.006\r\nModify Registry                                     T1112\r\nAccess Token Manipulation                   T1134\r\nRundll32                                               T1218.011\r\nFile and Directory\r\nPermissions Modification                      T1222\r\nVirtualization/Sandbox Evasion              T1497\r\nBypass User Account Control                 T1548.002\r\nImpair Defenses                                    T1562\r\nDisable or Modify Tools                         T1562.001\r\nTA0007-Discovery\r\nQuery Registry                                      T1012\r\nProcess Discovery                                 T1057\r\nSystem Information Discovery               T1082\r\nFile and Directory Discovery                  T1083\r\nSecurity Software Discovery                  T1518.001\r\nTA0011-Command and Control\r\nApplication Layer Protocol                     T1071\r\nWeb Protocols                                      T1071.001\r\nNon-Standard Port                                T1571\r\nStructured Data\r\nFind this and other research in our public TAXII collection for easy use in your security stack:\r\nhttps://cti.eclecticiq.com/taxii/discovery.\r\nPlease refer to our support page for guidance on how to access the feeds.\r\nAbout EclecticIQ Intelligence \u0026 Research Team\r\nEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in\r\nAmsterdam, the EclecticIQ Intelligence \u0026 Research Team is made up of experts from Europe and the U.S. with decades of\r\nexperience in cyber security and intelligence in industry and government.\r\nWe would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.\r\nYou might also be interested in:\r\nBlack Bersek Malware, Large Language Model Adaption For Offensive Cyber Capabilities\r\nGerman Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs\r\nSpearphishing Campaign Targets Zimbra Webmail Portals of Government Organizations\r\nReferences\r\n[1] Neagu Mihai, “RedLine Stealer Resurfaces in Fresh RIG Exploit Kit Campaign.” Bitdefender. Apr 27, 2022.\r\nhttps://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/ (accessed Jun. 28,\r\n2023). \r\n[2] Dela Cruz Junestherry, “Malicious AI Tool Ads Used to Deliver Redline Stealer.” Trend Micro. May 12, 2023.\r\nhttps://www.trendmicro.com/en_us/research/23/e/malicious-ai-tool-ads-used-to-deliver-redline-stealer.html (accessed Jun.\r\nhttps://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat\r\nPage 6 of 7\n\n30, 2023). \r\n[3] Jarosz Aleks, “Custom VirusTotal Redline Stealer Query.” VirusTotal. Jun 1, 2023\r\nhttps://www.virustotal.com/gui/search/metadata%253A%2522Tools%2520for%2520control%2520bio%2520tech%2522%2520and%2520positives%\r\n(accessed Jun. 1, 2023). \r\n[4] Shrawan Poudel Swachchhanda, Bogati Anish, “RedLine Stealer Malware Outbreak: A Comprehensive Guide to\r\nAnatomy, Detection, and Response.” Logpoint. Apr 2023. https://www.logpoint.com/wp-content/uploads/2023/04/etpr-redline-stealer-malware-outbreak.pdf (accessed Jul. 1, 2023). \r\n[5] Life Sciences Asia, “Malaysian Biotechnology Corporation Sdn. Bhd. (BiotechCorp).” Life Sciences Asia. 2023.\r\nhttps://www.life-sciences-asia.com/organisation/malaysian-biotechnology-corporation-sdn-bhd-biotechcorp-malaysia-govt-2001-22671.html (accessed Jul. 31, 2023). \r\n[6] “Digital News Asia, “BiotechCorp rebranded to Malaysian Bioeconomy Development Corp, role expands.” Digital\r\nNews Asia. Jun 09, 2023. https://www.digitalnewsasia.com/digital-economy/biotechcorp-rebranded-malaysian-bioeconomy-development-corp-role-expands (accessed Jul. 31, 2023). \r\nSource: https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat\r\nhttps://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat" ], "report_names": [ "redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434045, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/392ff550487f9e2e04615ce2e2e656a39c67efac.pdf", "text": "https://archive.orkl.eu/392ff550487f9e2e04615ce2e2e656a39c67efac.txt", "img": "https://archive.orkl.eu/392ff550487f9e2e04615ce2e2e656a39c67efac.jpg" } }