{ "id": "30c7931f-6e47-4ab8-b646-f156b59b6586", "created_at": "2026-04-06T00:13:02.754732Z", "updated_at": "2026-04-10T03:37:09.264275Z", "deleted_at": null, "sha1_hash": "58c0ee86edb7ac3dc078ac78b6f380a5553b386f", "title": "Fake Valorant cheats on YouTube infect you with RedLine stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2808253, "plain_text": "Fake Valorant cheats on YouTube infect you with RedLine stealer\r\nBy Bill Toulas\r\nPublished: 2022-03-13 · Archived: 2026-04-05 19:24:52 UTC\r\nKorean security analysts have spotted a malware distribution campaign that uses Valorant cheat lures on YouTube to trick\r\nplayers into downloading RedLine, a powerful information stealer.\r\nThis type of abuse is quite common, as the threat actors find it easy to bypass YouTube's new content submission reviews or\r\ncreate new accounts when reported and blocked.\r\nThe campaign spotted by ASEC targets the gaming community of Valorant, a free first-person shooter for Windows, offering\r\na link to download an auto-aiming bot on the video description.\r\nhttps://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nVideo promoting fake auto-aiming bot (ASEC)\r\nThese cheats are allegedly add-ons installed in the game to help the players aim at enemies with speed and precision,\r\nwinning headshots without demonstrating any skill.\r\nAuto-aiming bots are highly sought-after for popular multiplayer games like Valorant because they allow effortless ranking\r\nprogression.\r\nDropping Redline\r\nUsers who attempt to download the file in the video's description will be taken to an anonfiles page from where they'll get a\r\nRAR archive that contains an executable named \"Cheat installer.exe\".\r\nThis file is, in reality, a copy of RedLine stealer, one of the most widely deployed password-stealing malware infections that\r\nsnatch the following data from infected systems:\r\nBasic information: Computer name, user name, IP address, Windows version, system information (CPU, GPU,\r\nRAM, etc.), and list of processes\r\nWeb browsers: Passwords, credit card numbers, AutoFill forms, bookmarks, and cookies, from Chrome, Chrome-based browsers, and Firefox\r\nCryptocurrency wallets: Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum,\r\nLitecoinCore, Monero, Exodus, Zcash, and Jaxx\r\nVPN clients: ProtonVPN, OpenVPN, and NordVPN\r\nOthers: FileZilla (host address, port number, user name, and passwords), Minecraft (account credentials, level,\r\nranking), Steam (client session), Discord (token information)\r\nAfter collecting this information, RedLine neatly packs it in a ZIP archive named \"().zip\" and exfiltrates the files via a\r\nWebHook API POST request to a Discord server.\r\nhttps://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/\r\nPage 3 of 5\n\nExfiltrating stolen information via Discord WebHook (ASEC)\r\nDon't trust links in YouTube videos\r\nApart from the fact that cheating in video games takes the fun out of playing and ruins the game for others, it is always a\r\npotentially severe security risk.\r\nNone of these cheat tools are authored by trustworthy entities, none are digitally signed (so AV warnings are bound to be\r\nignored), and many are indeed malware.\r\nASEC's report contains a recent example, but that's just a drop in the sea of malicious download links under YouTube videos\r\nthat promote free software of various types.\r\nThe videos that promote these tools are often stolen from elsewhere and are re-posted from malicious users on newly created\r\nchannels to act as lures.\r\nEven if the comments below these videos praise the uploader and claim the tool works as promised, they should not be\r\ntrusted as these can easily be faked.\r\nhttps://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/\r\nhttps://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/" ], "report_names": [ "fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434382, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/58c0ee86edb7ac3dc078ac78b6f380a5553b386f.pdf", "text": "https://archive.orkl.eu/58c0ee86edb7ac3dc078ac78b6f380a5553b386f.txt", "img": "https://archive.orkl.eu/58c0ee86edb7ac3dc078ac78b6f380a5553b386f.jpg" } }