{
	"id": "39f21ff3-9f58-4b89-a427-96f8ebd8f478",
	"created_at": "2026-04-06T00:06:34.351017Z",
	"updated_at": "2026-04-10T03:21:58.306318Z",
	"deleted_at": null,
	"sha1_hash": "9801ffce1acd4d3232dbde8f5511730e34ba9641",
	"title": "Digital artists targeted in RedLine infostealer campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 338264,
	"plain_text": "Digital artists targeted in RedLine infostealer campaign\r\nArchived: 2026-04-05 14:36:19 UTC\r\n2021-06-17: updated with information from Twitter user ARC\r\nIn this post, we'll look at a campaign, that targeted multiple 3D or digital artists using NFT, with malware named RedLine.\r\nThis malware is a so called \"infostealer\" or \"information stealer\" that is capable of extracting sensitive data from your\r\nmachine (such as wallet information, credentials, and so on). As a side-note; NFTs, or non-fungible tokens, are digital tokens\r\ntied to assets that can be bought, sold and traded.\r\nThis blog post is divided into four parts:\r\nIntroduction: provides an overview of what happened\r\nAnalysis: analysis of the attack and the malware used\r\nDetection: how to detect and remove the malware (skip to Detection if you just want to clean this up)\r\nPrevention: how to prevent this from happening again\r\nConclusion: a brief conclusion and additional thoughts\r\nIntroduction\r\nFrom at least last Thursday, 10th of June 2021, multiple users report on Twitter that they got hacked after being approached\r\nto create new digital art. These users, accomplished digital artists and publishing their work on NFT marketplaces, were\r\napproached either via Instagram, Twitter DM (message) or directly via email. The attacker has masqueraded themselves\r\nbehind multiple personas, often claiming to be from South Korea. A few of the users that reported the attack:\r\nAriel:\r\nSmall thread on the recent attacks to NFT artists, and how to prevent it. #NFTLamers #StolenNFT #NFTArt\r\npic.twitter.com/KvrsuyQaeT\r\n— 🌈 ArielBeckerArt.eth #SquidGang 🦑 (@arielbeckerart) June 10, 2021\r\nfvckrender:\r\nNicole:\r\nARC:\r\nCloudy Night:\r\n— Cloudy Night ☁️ (@CloudyNight_k) June 11, 2021\r\nThere are many, many more examples - however, we won't list them here. Of note is Ariel's tweet, where you can note the\r\npresence of a file named \"Rizin_Fight_Federation_Presentation.scr\". I'll circle back to that in the next section, Analysis.\r\nAnalysis\r\nAfter scouring the internet for a while, I was unable to discover any of the files mentioned by the artists that reported the\r\nattack, that is until I stumbled upon Cloudy Night's tweet - their screenshot included a link to a website \"skylumpro.com\".\r\nhttps://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html\r\nPage 1 of 7\n\nAs expected, this is not the legitimate website, but rather a clever copycat of the real Skylum product website (to note, the\r\nreal website is: https://skylum.com/luminar-ai-b). After clicking the \"Download Now\" button, a file named\r\n\"SkylumLuminar (NFT Beta).rar\" is downloaded, which you need to unzip with the password \"NFT\", as we can observe\r\nfrom Cloudy Night's tweet.\r\nThe unzipped content looks as follows:\r\nOne of the first things you may notice is the large filesize of the so called beta version. As you've seen from before in Ariel's\r\ntweet, the filesize was 745MB, while this file is a whopping 791MB!\r\nBut why is this file so large and why does it matter? \r\nThe attacker has appended their original file with a large chunk of overlay data; to put it simply - a bunch of extra\r\ndata that does nothing.\r\nThe attacker has increased the filesize this much to try and evade antivirus software and scanning tools; for example,\r\na well-known service to scan suspicious files, VirusTotal, only accepts files up to 650MB, while some antivirus\r\nscanners may not even scan a file this large.\r\nWhile you could upload the original RAR file; the attacker has password-protected it and VirusTotal will be unable to\r\nscan it properly. You could re-package it, but the file itself may not be scanned.\r\nHaving said all that, after removing the excessive overlay, a much more reasonable filesize is obtained: 175KB. This new\r\nfile's properties are:\r\nMD5: d93de731781723b3bb43fa806c5da7d1\r\nSHA-1: 1d49e7d163bce8cc6591ea33984796c531893b47\r\nSHA-256: b9923cdcd07e3e490a729560aa6f7c9b153ac0359cc7fa212c65b08531575a5a\r\nCreation Time: 2021-06-12 20:46:31\r\nhttps://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html\r\nPage 2 of 7\n\nVirusTotal results:\r\nhttps://www.virustotal.com/gui/file/b9923cdcd07e3e490a729560aa6f7c9b153ac0359cc7fa212c65b08531575a5a/detection\r\nOf note is the creation or compilation time: this is the date and time the file has originally been created. While this can be\r\nspoofed, I do not believe it is the case here. This time matches with when the attack appeared. It is however highly likely\r\nmore files, such as the one in Ariel's tweet, do the round.\r\nThis file will then execute a new file; which is the RedLine infostealer malware. This file has the following properties:\r\nMD5: b7df882c1b75c753186eec8fcb878932\r\nSHA-1: a04339be16a3b48d06017f44db7e86b3c8982110\r\nSHA-256: 2917305ac2959a98296578c46345691ccf638bdcc0559134432f5993da283faa\r\nCreation Time: 2042-10-31 08:29:02\r\nVirusTotal results:\r\nhttps://www.virustotal.com/gui/file/2917305ac2959a98296578c46345691ccf638bdcc0559134432f5993da283faa/detection\r\nNote the creation time is different: set in 2042 - this is obviously faked by the attacker to reveal when exactly it has been\r\ncreated. However, with the above data, we can assume it was created in the last 5 days or so.\r\nAs mentioned before, once you execute the SkylumLuminarNFTBetaVersion.exe file, you will be infected with the\r\nRedLine infostealer malware. ProofPoint has reported on this malware first in March 2020: New Redline Password Stealer\r\nMalware. This malware has many capabilities, including, but not limited to:\r\nSteal username and password from browsers;\r\nCollect extensive system information;\r\nExecute commands, such as downloading and uploading other files, opening links and so on;\r\nSteal cryptowallet information - both from Chrome extensions as well as typical wallet.dat files. The extensions\r\ntargeted are:\r\nYoroiWallet\r\nTronlink\r\nNiftyWallet\r\nMetamask (refer also to Nicole's tweet)\r\nMathWallet\r\nCoinbase\r\nBinanceChain\r\nBraveWallet\r\nGuardaWallet\r\nEqualWallet\r\nJaxxxLiberty\r\nBitAppWallet\r\nSteal data from other software, such as:\r\nSteam;\r\nTelegram;\r\nFTP clients such as FileZilla.\r\nThe screenshot below displays part of RedLine's functionalities:\r\nhttps://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html\r\nPage 3 of 7\n\nRedLine will first gather some basic information about your machine, such as the machine name, external IP address, your\r\ngeography and so on. It gathers external information by querying one of the following IP lookup services:\r\nhttps://api.ipify.org\r\nhttps://icanhazip.com\r\nhttps://wtfismyip.com/text\r\nhttp://bot.whatismyipaddress.com/\r\nhttp://checkip.dyndns.org \r\nNote these services are not malicious, they are simply being used by the attacker to gather more information. Interestingly\r\nenough, RedLine will use SOAP HTTP (POST) requests to its command and control server (the server or machine\r\ncontrolled by the attacker where your data will end up) using the following IP: \r\n185.215.113.60;\r\nOn port 59472;\r\nThis IP resides in the Seychelles.\r\nAnother domain and IP observed is (from ARC's tweet above, the files in that archive were almost 600MB):\r\nxtfoarinat.xyz;\r\nOn IP 92.38.163.189;\r\nThis IP also has sinaryaror.xyz resolve to it, another RedLine command and control server.\r\nOne may also observe connections to tempuri.org. This is a default placeholder for web services, and is not atypical when\r\nusing SOAP over HTTP. Tempuri is not malicious.\r\nFinally, after receiving all this data, the attacker can start logging into your accounts, attempt to steal your tokens,\r\nimpersonate you and so on. The attacker can also install other malware if they wish, such as ransomware.\r\nWhat now? Detection\r\nhttps://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html\r\nPage 4 of 7\n\nGood news:\r\nThe variant discussed in this blog does not appear to persist: in other words, after a reboot, its process will not be active\r\nanymore, at least for the variant discussed in this blog post.\r\nBad news:\r\nEverything else - unfortunately, RedLine works pretty fast and a few minutes are enough to exfiltrate all your data and for\r\nthe attacker to fully compromise all your accounts.\r\nLuckily for us, RedLine stealer should be detected by most commercial and free antivirus software products on the market.\r\nA few recommendations to get rid of the RedLine variant discussed in this blog post - note this may not fully cover the\r\nvariant you encountered: \r\n1. Contact your NFT provider, cryptowallet provider and so on as soon as possible via telephone call or another\r\ncomputer and inform them of what happened; ask for a temporary block of your account or to at least temporarily\r\nblock any funds from now on.\r\n\u003e\u003e\u003e It is very important you do this first! \u003c\u003c\u003c\r\n2. If you can, change your credentials from another machine; such as your phone, your partner's laptop, ... Note it's\r\nrecommended to change your credentials at least for your email accounts and for your wallets - focus on the most\r\nimportant accounts first! If you do not have this possibility, continue with the steps below.\r\n3. Open Task Manager, go to the Details tab and search for any process with the following names:\r\n1.  SkylumLuminarNFTBetaVersion.exe;\r\n Flamingly.exe;\r\n FieldTemplateFactory.exe;\r\nPaintingPromoProject;\r\n Alternatively, the name of the file you executed. \r\n2. Now, kill the process by right-clicking on it  \u003e select End Process (or End Task).\r\n4. If you have a firewall or proxy, block the IPs 185.215.113.60 and 92.38.163.189.\r\n5. Run a scan with your currently installed antivirus and a scan with an alternative product, for example, Malwarebytes\r\n(has a free version);\r\n1. You can also use Eset's Online Scanner (free): https://www.eset.com/int/home/online-scanner/\r\n6. Enable the Windows Firewall: https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f\r\n1. While this might not have much impact at this point, it will give you an additional layer of protection from\r\nother threats;\r\n7. Delete all the files you have previously downloaded if they still exist on your system; if you'd like me to analyse\r\nthem, you may send me a copy first;\r\n8. If the above scans have turned up:\r\nClean: have you executed the file? \r\n1. If not, you are not infected. \r\n2. If you did, and the scanners turn up with nothing, it's possible your current antivirus product has\r\nblocked the attack. \r\n3. You might also want to Refresh your PC to have peace of mind.\r\nNot clean (there were detections): let the above product (e.g. Malwarebytes or Eset) clean them up and reboot\r\nyour computer.\r\n9. Finally, reset all (or the rest of) your credentials. Do this only when you know your machine is clean! Alternatively,\r\nreset your credentials from another machine as indicated earlier.\r\nhttps://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html\r\nPage 5 of 7\n\nIt's important to follow these steps as soon as possible to prevent any damages. \r\nPrevention\r\nYou've come this far, or perhaps you simply skipped to this part - arguably the most important one: to prevent this attack\r\nfrom happening in the first place. So how can this be achieved?\r\n1. First and foremost: ensure you are using Windows 8.1 or later. Older Operating Systems, such as Windows 7, are\r\nno longer supported by Microsoft and have additional vulnerabilities attackers may exploit;\r\n2. Install an antivirus and enable the Windows Firewall. It does not matter if the antivirus is free or not; paid\r\nversions do offer more features, but a free version will do just as much.\r\n1. Starting from Windows 10, Windows Defender should protect adequately from attacks such as the one\r\ndescribed in this blog post. Other free alternatives are Kaspersky's free cloud antivirus and Malwarebytes.\r\n2. When you get any file, scan it with your antivirus first! (typically done by right-clicking on the file or folder) \r\n3. When in doubt, upload the file to VirusTotal. Note however the tactics used here: if there's a really large file, it\r\nmay not be able to be scanned properly - this can be an indication of malicious intent!\r\n3. Set UAC (User Account Control) to the maximum level: Always Notify - this will stop some additional attacks\r\n(you will get more prompts; if you do, take a pause and verify what's on the screen should indeed be executed).\r\nHere's how to do that: https://www.digitalcitizen.life/how-change-user-account-control-uac-levels/\r\n4. Enable file extensions: some extensions, such as .scr, historically a screensaver file; are in fact executables - which\r\ncould contain malicious code, as was the case in Ariel's tweet. Do not open or run these files. This will also protect\r\nyou against the \"double extensions\" trick. A file named commission.jpg.exe will now be visible as such - if file\r\nextensions are disabled, you would see commission.jpg - see the difference? Here's how you can enable file\r\nextensions: https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/\r\n5. Create unique passwords where possible; if feasible; use a password manager;\r\n6. Enable MFA (or 2FA if MFA is not available) on all your sensitive accounts; this will add an additional layer which\r\nis typically very hard for the attacker to guess or crack. Google \"your service/ account + MFA\" for specific\r\ninstructions;\r\n7. If you receive a new commission or request to create art, stop and think first - ask yourself these questions:\r\n1. Is this coming from a reputable account or from a totally new account?\r\n1. If reputable, can I verify their claim or request somehow?\r\n2. If from a new account: be extra wary!\r\n3. If from an account with very low followers/following: be extra wary!\r\n2. How will they pay me? \r\n1. Are they using a verified cryptowallet, or trying to set me up for something shady?\r\n2. Do they have any reviews on their (public) profile, if any?\r\n3. What are they asking of me exactly?\r\n1. Are they indeed sending just images, or is there an executable file or \"special software\" I am supposed\r\nto download/open?\r\n4. Where are their links or attachments leading to?\r\n1. Are these leading to another service, e.g. imgur.com, or something different altogether?\r\n5. I have downloaded the file(s), but I do not trust the source;\r\n1. Delete it or ask for more information;\r\n2. Block the sender if you are suspect and report their account, delete any files;\r\n3. You can double-check by scanning the files with your antivirus, or uploading it to VirusTotal. The\r\nsame nuance as above applies however.\r\nhttps://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html\r\nPage 6 of 7\n\n6. You can also Google any information they send through to further verify their claims.\r\n8. Finally and where possible;\r\n1. Use a hardware instead of software wallet;\r\n2. Secure your seed phrase; store it offline, for example, on an external drive or use pen and paper;\r\n3. Verify the security settings in your wallet or crypto provider: perform a check of which other security features\r\nyou can enable, and enable them. \r\nManifold, a company that creates blockchain products for NFT communities, has also written an excellent post-mortem of\r\nthis attack which includes additional advice - I highly recommend you to read it: https://manifoldxyz.substack.com/p/the-fvckrender-hack-post-mortem\r\nConclusion and afterthoughts\r\nIt's not the first time a highly targeted or specific attack occurs on communities that use crypto in some form or another, for\r\nexample, at the end of 2019, Monero's download site and binaries were compromised for a brief time.\r\nIf you have been targeted by this attack, and you have been compromised, follow the advice in this blog as soon as possible\r\nto clean it up and to prevent any future attack.\r\nThis attack was quite specific and targeted - there is really no need to feel bad if you have been affected, as it can happen to\r\nanyone. Explain to your crypto provider what happened, and they should be able to help you out.\r\nI'd like to thank all the vigilant users on Twitter out there for creating awareness, and I hope this blog has provided further\r\ninsight. If you were affected, and you'd like me to analyse any suspicious file, or would just like to comment, use the\r\ncomment section below or contact me on Twitter. Refer to my About me page for even more contact details.\r\nSource: https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html\r\nhttps://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html"
	],
	"report_names": [
		"digital-artists-targeted-in-redline.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433994,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9801ffce1acd4d3232dbde8f5511730e34ba9641.pdf",
		"text": "https://archive.orkl.eu/9801ffce1acd4d3232dbde8f5511730e34ba9641.txt",
		"img": "https://archive.orkl.eu/9801ffce1acd4d3232dbde8f5511730e34ba9641.jpg"
	}
}