{ "id": "e7981b43-98f4-4a13-8673-6bd2d77b7a4f", "created_at": "2026-04-06T01:28:55.499641Z", "updated_at": "2026-04-10T13:12:24.875813Z", "deleted_at": null, "sha1_hash": "59aa3c9e1fcf7f54374dd65791678a41fd46f36a", "title": "COVID Omicron Variant Lure Used to Distribute RedLine Stealer | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82093, "plain_text": "COVID Omicron Variant Lure Used to Distribute RedLine Stealer\r\n| FortiGuard Labs\r\nBy Shunichi Imano and Fred Gutierrez\r\nPublished: 2022-01-10 · Archived: 2026-04-06 00:58:37 UTC\r\nJust like the previous year, 2021 ended with COVID and 2022 started with the same. The only difference is that\r\nthe world is now dealing with the new Omicron variant rather than the Delta variant, which emerged in April\r\n2021. While reportedly less lethal than its predecessor, the Omicron variant has a much higher transmission rate,\r\nand as a result, daily counts of new Omicron patients have become a global concern. This has renewed heightened\r\nconcern about the pandemic, and as we have all sadly learned, threat actors don’t shy away from using misery and\r\nfear to their advantage.\r\nFortiGuard Labs recently came across a curiously named file, “Omicron Stats.exe”, which turned out to be a\r\nvariant of Redline Stealer malware. This blog will look at the Redline Stealer malware, including what’s new in\r\nthis variant, its core functions, how it communicates with its C2 server, and how organizations can protect\r\nthemselves.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Various data including confidential information on the compromised machine will be stolen\r\nSeverity Level: Medium\r\nRedLine Stealer\r\nBefore talking specifics on this new RedLine Stealer variant, let’s review what we know about RedLine Stealer in\r\ngeneral.\r\nThe first reports of RedLine Stealer go back to at least March of 2020 and it quickly became one of the more\r\npopular infostealers sold in underground digital markets. The Information harvested by RedLine Stealer is sold on\r\nthe dark net marketplace for as low as 10 US dollars per set of user credentials. The malware emerged just as the\r\nworld began to deal with increased numbers of COVID patients and the growing fear and uncertainty that can\r\ncause people to lower their guard, which may have prompted its developers to use COVID as its lure.\r\nAccording to the CIA, open source intelligence, or OSINT, is intelligence “drawn from publicly available\r\nmaterial,” although it can include sources only available to specialists or subscribers. Based on the global OSINT\r\ninformation collected and analyzed by FortiGuard Labs, the current Redline Stealer includes the following\r\nfunctionalities.\r\nNormally, these are the victims whose systems have been infected with any of the above-mentioned stealers, due\r\nto which victim have unknowingly had their account passwords and full browser details recorded, and then sent to\r\nmarketplace operators. Generally, in such cases, each user profile includes login credentials for accounts on online\r\nhttps://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nPage 1 of 8\n\npayment portals, e-banking services, file-sharing or social networking platforms. As such, it attempts to collect the\r\nfollowing information from browsers installed on the compromised machine, including all Chromium-based\r\nbrowsers and all browsers based on Gecko (i.e. Mozilla):\r\n1. Stored system information:\r\n1. Login and passwords\r\n2. Cookies\r\n3. Auto-Fill Forms\r\n4. Browser User Agent Details\r\n5. Credit Card information\r\n6. Browser history\r\n2. Installed FTP clients\r\n3. Installed IM clients\r\n4. It also engages in highly configurable information collection based on file path and file extension,\r\nincluding searching in subfolders.\r\n5. It sets up a blacklist of countries where Redline Stealer will not function\r\n6. It also collects the following machine information\r\n1.  IP\r\n2. Country\r\n3. City\r\n4. Current user name\r\n5. Hardware ID\r\n6. Keyboard layouts\r\n7. Screenshot\r\n8. Screen resolution\r\n9. Operating system\r\n10. UAC settings\r\n11. User-Agent\r\n12. Information about PC components such as video cards and processors\r\n13. Installed antivirus solution\r\n14. Data/Files from common folders such as desktop/downloads, etc.\r\nThe current variant continues to perform all these functions. However, this new version includes additional\r\nchanges and improvements, which are detailed below:\r\nInfection vector for the RedLine Stealer variant (Omicron Stats.exe)\r\nWhile we have not been able to identify the infection vector for this particular variant, we believe that it is being\r\ndistributed via email. Past RedLine Stealer variants are known to have been distributed in COVID-themed emails\r\nto lure victims. The file name of this current variant, “Omicron Stats.exe,” was used just as the Omicron variant\r\nwas becoming a global concern, following the pattern of previous variants. And given that this malware is\r\nembedded in a document designed to be opened by a victim, we have concluded that email is the infection vector\r\nfor this variant as well.\r\nhttps://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nPage 2 of 8\n\nVictimology\r\nBased on the information collected by FortiGuard Labs, potential victims of this RedLine Stealer variant are\r\nspread across 12 countries. This indicates that this is a broad-brush attack and that the threat actors did not target\r\nspecific organizations or individuals.\r\nFunctionality\r\nOnce Omicron Stats.exe is executed, it unpacks resources encrypted with triple DES using ciphermode ECB and\r\npadding mode PKCS7. Unpacked resources are then injected into vbc.exe. It copies itself to C:\\Users\\\r\n[Username]\\AppData\\Roaming\\chromedrlvers.exe and creates the following scheduled task for persistence:\r\nschtasks /create /sc minute /mo 1 /tn \"Nania\" /tr\r\n\"'C:\\Users\\[Username]\\AppData\\Roaming\\chromedrlvers.exe'\" /f\r\nThe malware then attempts to exfiltrate the following system information from Windows Management\r\nInstrumentation (WMI):\r\nGraphics card name\r\nBIOS manufacturer, identification code, serial number, release date and version\r\nDisk drive manufacturer, model, total heads and signature\r\nProcessor (CPU) information like unique ID, processor ID, manufacturer, name, max clock speed and\r\nmotherboard information\r\nThe malware also decrypts strings with base64 and xor key \"Margented.\" The decrypted strings are\r\n\"freelancer.com\" and 207[.]32.217.89. It then accesses a Command and Control (C2) server\r\n(207[.]32[.]217[.]89:14588). It uses a unique header ,\"Authorization: ns1=d8cc092a9e22f3fc55d63aad32150529\"\r\nto verify itself, and the decrypted ID “freelancer.com” to prevent connections from other malware or researchers.\r\nThe malware searches for the following strings on the compromised machine to locate relevant folders for data\r\nexfiltration:\r\nwallet.dat (information related to cryptocurrency)\r\nwallet (information related to cryptocurrency)\r\nLogin Data\r\nWeb Data\r\nCookies\r\nOpera GX Stable\r\nOpera GX\r\nThe malware also looks for the following files for data exfiltration:\r\n\\Telegram Desktop\\tdata folder, which Telegram stores images and conversations.\r\n%appdata%\\discord\\Local Storage\\leveldb, which stores Discord channel and channel-specific information\r\nthat a user has joined, for the following files:\r\n.log and .db files\r\nhttps://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nPage 3 of 8\n\nFiles that match the following regular expression: [A-Za-z\\d]{24}\\.[\\w-]{6}\\.[\\w-]{27}\r\n[A-Z] is a regular expression used to search for files with names using any upper case alphabet from A-Z\r\n[a-z] is a regular expression used to search for files with names using any lower case alphabets from a-z\r\n\\d is a regular expression used to search for any digits\r\n{24} is a regular expression used to match the previous tokens exactly 24 times\r\n\\. Is a regular expression used to find “.” (\\ is an escape)\r\n\\w is a regular expression used to find any word characters that include underscore\r\nTokens.txt (used for Discord access)\r\nThe malware also looks for and attempts to steal the following stored browser data:\r\nLogin Data\r\nWeb Data\r\nBrowser User Agent Details\r\nCookies\r\nExtension Cookies\r\nAutofill\r\nCredit Card information\r\nThe malware also attempts to collect the following system information:\r\nProcessors\r\nGraphics cards\r\nTotal of RAM\r\nInstalled programs\r\nRunning processes\r\nInstalled languages\r\nUsername\r\nInstalled Windows version\r\nSerial number\r\nThe RedLine Stealer variants steals stored credentials for the following VPN applications:\r\nNordVPN\r\nOpenVPN\r\nProtonVPN\r\nC2 Infrastructure\r\nThis variant uses 207[.]32.217.89 as its C2 server through port 14588. This IP is owned by 1gservers. Over the\r\ncourse of the few weeks after this variant was released, we noticed one IP address in particular communicating\r\nwith this C2 server. Some telemetry data is shown below.\r\nIP Address Start Time End Time\r\nhttps://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nPage 4 of 8\n\n149.154.167.91 2021-11-26 04:34:54 2021-11-26 10:05:15\r\n149.154.167.91 2021-12-05 12:06:03 2021-12-05 13:19:35\r\n149.154.167.91 2021-12-09 16:18:46 2021-12-09 20:00:13\r\n149.154.167.91 2021-12-22 18:38:18 2021-12-23 11:33:58\r\nThis 149[.]154.167.91 IP address is located in Great Britain and is part of the Telegram Messenger Network. It\r\nseems that the C2 server may be controlled by the Redline operators through an abused Telegram messaging\r\nservice. This conclusion is not a huge leap as the malware author(s) offer both dedicated purchasing and support\r\nlines through their respective Telegram groups.\r\nConclusion\r\nRedLine Stealer takes advantage of the ongoing COVID crisis and is expected to continue that trend. While it is\r\nnot designed to have a catastrophic effect on the compromised machine, the information that it steals can be used\r\nfor malicious actions by the same cybercriminal or sold to another threat actor for future activities. Stay outside of\r\nthe red zone by exercising basic security practices, detailed below:\r\nFortinet Protections\r\nFortiGuard Labs provides the following AV coverage against the RedLine Stealer variant:\r\nPossibleThreat.PALLASNET.H\r\nFortiGuard Labs provides the IPS signature “RedLine.Stealer.Botnet” to detect RedLine Stealer’s communication\r\nwith Command and Control (C2) servers. Please note that the signature is set to “pass” by default and needs to be\r\ntoggled to “drop” to block communications with its C2.\r\nAll network IOCs are blocked by the WebFiltering client.\r\nFortiEDR blocks all malicious files based on reputation and behavioral detection.\r\nIndicators of Compromise (IOCs) for this variant:\r\nSHA2\r\n15FE4385A2289AAF208F080ABB7277332EF8E71EDC68902709AB917945A36740\r\nNetwork\r\n207.32.217.89:14588 (C2)\r\nhttps://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nPage 5 of 8\n\nOther RedLine Stealer variant IOCs:\r\nSHA2\r\n891aba61b8fec4005f25d405ddfec4d445213c77fce1e967ba07f13bcbe0dad5\r\n216a733c391337fa303907a15fa55f01c9aeb128365fb6d6d245f7c7ec774100\r\n73942b1b5a8146090a40fe50a67c7c86c739329506db9ff5adc638ed7bb1654e\r\n2af009cdf12e1f84f161a2d4f2b4f97155eb6ec6230265604edbc8b21afb5f1a\r\nbf31d8b83e50a7af3e2dc746c74b85d64ce28d7c33b95c09cd46b9caa4d53cad\r\nb8ebdc5b1e33b9382433151f62464d3860cf8c8950d2f1a0278ef77679a04d3b\r\n8d7883edc608a3806bc4ca58637e0d06a83f784da4e1804e9c5f24676a532a7e\r\n1b4fcd8497e6003009010a19abaa8981366922be96e93a84e30ca2885476ccd7\r\nfdeadd54dd29fe51b251242795c83c4defcdade23fdb4b589c05939ae42d6900\r\naf4bf44056fc0b8c538e1e677ed1453d1dd884e78e1d66d1d2b83abb79ff1161\r\nNetwork:\r\nhxxps://privatlab[.]com/s/s/nRqOogoYkXT3anz2kbrO/2f6ceecb-a469-40b5-94a2-2c9cc0bc8445-\r\nEwdy5l6RAylbLsgDgrgjNjVbn\r\nhxxps://privatlab[.]com/s/s/3Qa0YRMaVaij07Z8BqzZ/7ca69d4c-c5bb-4ab3-b5a9-87c17b7167b5-\r\n86yYgEGqbQMnoszgm0OmgGb6g\r\nhxxp://data-host-coin-8[.]com/files/9476_1641477642_2883[.]exe\r\nhxxp://data-host-coin-8[.]com/files/541_1641407973_7515[.]exe\r\nhxxp://data-host-coin-8[.]com/files/7871_1641415744_5762[.]exe\r\nhxxps://transfer[.]sh/get/HafwDG/rednovi[.]exe\r\nhxxp://91[.]219.63.60/downloads/slot8[.]exe\r\n91.243.32.13:1112 (C2)\r\n185.112.83.21:21142 (C2)\r\n23.88.11.67:54321 (C2)\r\n178.20.44.131:8842 (C2)\r\n91.243.32.94:63073 (C2)\r\nhttps://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nPage 6 of 8\n\n95.143.177.66:9006 (C2)\r\n45.147.230.234:1319 (C2)\r\n31.42.191.60:62868 (C2)\r\n135.181.177.210:16326 (C2)\r\nFortiGuard Labs provide the following AV coverage against the RedLine Stealer variants listed above:\r\nW32/Agent.A7D6!tr\r\nMSIL/Agent.DFY!tr\r\nW32/PossibleThreat\r\nPossibleThreat.PALLASNET.H\r\nW32/GenKryptik.FNMI!tr\r\nW32/AgentTesla.FDFF!tr\r\nAll network IOCs are blocked by the WebFiltering client.\r\nFortiEDR blocks all of the files based on reputation and as well behavioral detection.\r\nAdditionally, FortiGuard Labs also provides the following AV coverage against RedLine Stealer malware in\r\ngeneral:\r\nMSIL/Redline.5418!tr\r\nW32/Redline.HV!tr\r\nW32/Redline.HU!tr\r\nW32/Redline.HP!tr\r\nW32/Redline.HL!tr\r\nW32/Redline.HT!tr\r\nW32/Redline.AOR!tr\r\nW32/Redline.HQ!tr\r\nW32/Redline.HS!tr\r\nW32/Redline.HM!tr\r\nW32/Redline.HX!tr\r\nW32/Redline.HR!tr\r\nhttps://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nPage 7 of 8\n\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nhttps://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer" ], "report_names": [ "omicron-variant-lure-used-to-distribute-redline-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438935, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59aa3c9e1fcf7f54374dd65791678a41fd46f36a.pdf", "text": "https://archive.orkl.eu/59aa3c9e1fcf7f54374dd65791678a41fd46f36a.txt", "img": "https://archive.orkl.eu/59aa3c9e1fcf7f54374dd65791678a41fd46f36a.jpg" } }