{
	"id": "09761895-0d13-451c-b7b9-2248c3110b29",
	"created_at": "2026-04-06T00:09:48.89956Z",
	"updated_at": "2026-04-10T03:28:21.01008Z",
	"deleted_at": null,
	"sha1_hash": "50dcc8a2cc03641bd639889a41f35478c2133b4a",
	"title": "RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 286708,
	"plain_text": "RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool\r\nBy James Coker\r\nPublished: 2023-11-30 · Archived: 2026-04-05 20:34:18 UTC\r\nA new version of the ScrubCrypt obfuscation tool is being used to target organizations with the RedLine Stealer\r\nmalware, fraud sensor network Human Security has warned.\r\nHuman’s Satori Threat Intelligence Team said it has uncovered the new build of ScrubCrypt for sale in dark web\r\nmarketplaces, and observed it being used to launch account takeover and fraud attacks on its customers via\r\nRedLine Stealer.\r\nHow the New ScrubCrypt Build Works\r\nScrubCrypt is a tool used by threat actors to avoid detection by converting executable files into batch files. In\r\nMarch 2023, it was found to be used by the  ‘8220 Gang’ threat actor to target an exploitable Oracle Weblogic\r\nServer.\r\nThe researchers said the website selling and hosting this new ScrubCrypt build is registered and hosted in Russia\r\nto stay out of the reach of law enforcement agencies in regions like the US and EU.\r\nHowever, the command-and-control (C2) server sending instructions and receiving the stolen credentials from the\r\nassociated RedLine Stealer sample is hosted by an American provider of data center proxies and virtual servers.\r\nThis approach is likely designed to help threat actors avoid certain firewall protections by having the malware\r\nphone home to a server located within the country of the target. \r\nhttps://www.infosecurity-magazine.com/news/redline-stealer-malware-scrubcrypt/\r\nPage 1 of 3\n\nBanner ad promoting ScrubCrypt on a dark web marketplace. Source: Satori Threat Intelligence and\r\nResearch Team\r\nThe researchers reversed engineered the attack to understand the new ScrubCrypt build’s workings. To infect\r\ntargets, a .bat file downloaded to a victim’s device, often via a social engineering attack. This .bat file carries a\r\nbase64-encoded payload and is peppered throughout with nonsensical repeating strings to obfuscate the payload.\r\nAfter removing the strings and decrypting the AES-encrypted file, the researchers revealed the payload to be\r\ncompressed gzip data.\r\nExtracting the data stream of these files revealed an obfuscated .NET executable file. After deobfuscating this\r\npayload, the Satori team observed that the file loads an embedded resource called P . The sample then\r\ndeobfuscates P using an XOR cipher with a key embedded in the .NET executable to get the final Windows\r\nexecutable payload.\r\nThe researchers found that the final payload was RedLine Stealer, although they noted other payloads can be\r\nencrypted and slipped past antivirus protections using the same method.\r\nRedline Stealer is a well-known malware designed to compromise accounts through stealing cookies, browser\r\nlogin data, and locally-stored login information. This enables threat actors to conduct account takeover and\r\naccount fraud attacks by logging in with the stolen credentials or reusing the cookies stolen from the browser.\r\nThe blog post stated: “This attack is emblematic of an alternative means of compromising accounts. Rather than\r\nrelying on leaked/stolen credentials followed by a brute-force attack, some threat actors prefer a malware-based\r\napproach to account fraud using stealers like the RedLine Stealer payload in this attack.”\r\nHow Organizations Can Mitigate this Threat\r\nhttps://www.infosecurity-magazine.com/news/redline-stealer-malware-scrubcrypt/\r\nPage 2 of 3\n\nWhile Human Security acknowledged its customers had been targeted by RedLine Stealer before, this was the first\r\ninstance incorporating this build of ScrubCrypt.\r\nThe firm said its findings is highlights how attackers are constantly evolving their techniques to stay ahead of\r\nimproved defenses.\r\n“As each new build of malware like RedLine Stealer or obfuscation tools like ScrubCrypt are unearthed and built\r\ninto antivirus protections, threat actors go back to the drawing board to start designing the next build,” read the\r\nblog, published on November 30, 2023.\r\nIt recommended that organizations, particularly those with direct/private messaging capabilities native to their\r\nuser platforms, take the following actions to mitigate this threat:\r\nDeploy protections that detect and mitigate cookie-stealing attacks\r\nUse tools that can flag users with credentials leaked or stolen in other threats\r\nForce compromised users to change their user credentials and confirm identity through two factor\r\nauthentication (2FA)\r\nStay up-to-date with threat research detailing evolving attack techniques\r\nSource: https://www.infosecurity-magazine.com/news/redline-stealer-malware-scrubcrypt/\r\nhttps://www.infosecurity-magazine.com/news/redline-stealer-malware-scrubcrypt/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.infosecurity-magazine.com/news/redline-stealer-malware-scrubcrypt/"
	],
	"report_names": [
		"redline-stealer-malware-scrubcrypt"
	],
	"threat_actors": [
		{
			"id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7",
			"created_at": "2023-06-23T02:04:34.839947Z",
			"updated_at": "2026-04-10T02:00:04.99239Z",
			"deleted_at": null,
			"main_name": "8220 Gang",
			"aliases": [
				"8220 Mining Group",
				"Returned Libra",
				"Water Sigbin"
			],
			"source_name": "ETDA:8220 Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8",
			"created_at": "2024-07-09T02:00:04.434476Z",
			"updated_at": "2026-04-10T02:00:03.671196Z",
			"deleted_at": null,
			"main_name": "Water Sigbin",
			"aliases": [
				"8220 Gang"
			],
			"source_name": "MISPGALAXY:Water Sigbin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434188,
	"ts_updated_at": 1775791701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50dcc8a2cc03641bd639889a41f35478c2133b4a.pdf",
		"text": "https://archive.orkl.eu/50dcc8a2cc03641bd639889a41f35478c2133b4a.txt",
		"img": "https://archive.orkl.eu/50dcc8a2cc03641bd639889a41f35478c2133b4a.jpg"
	}
}