{
	"id": "e6a4489f-a593-4f15-aa17-bbad3553d97a",
	"created_at": "2026-04-06T00:10:20.179262Z",
	"updated_at": "2026-04-10T13:11:43.504706Z",
	"deleted_at": null,
	"sha1_hash": "a5157f8f15131e0048e788d392b07b2d02da9ad2",
	"title": "Life on a crooked RedLine: Analyzing the infamous infostealer’s backend",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1119116,
	"plain_text": "Life on a crooked RedLine: Analyzing the infamous infostealer’s\r\nbackend\r\nBy Alexandre Côté Cyr\r\nArchived: 2026-04-05 14:37:32 UTC\r\nUPDATE (November 12th, 2024): We clarified the information in the fourth paragraph to better reflect\r\nRedLine's functionality before versus after the takedown.\r\nOn October 28th, 2024, the Dutch National police, alongside the FBI, Eurojust, and several other law enforcement\r\norganizations, performed a takedown of the infamous RedLine Stealer malware-as-a-service (MaaS) operation,\r\nand its clone called META Stealer. This global effort, named Operation Magnus, resulted in the takedown of three\r\nservers in the Netherlands, the seizure of two domains, two people being taken into custody in Belgium, and the\r\nunsealing of charges against one of the alleged perpetrators in the United States.\r\nBack in April 2023, ESET participated in a partial disruption operation of the RedLine malware, which consisted\r\nof the removal of several GitHub repositories used as dead-drop resolvers for the malware’s control panel. Around\r\nthat time, we investigated previously undocumented backend modules of this malware family in collaboration\r\nwith fellow researchers at Flare. These modules don’t interact directly with the malware, but rather handle\r\nauthentication and provide functionality for the control panel.\r\nSince RedLine has now been taken down, we are revealing our findings from 2023 publicly, along with some\r\nmore recent discoveries that were made based on source code and samples shared with us by the Dutch National\r\nPolice.\r\nNote that most of this analysis was performed before the takedown. Additionally, there are old, cracked copies of\r\nthe malware that might still work. This is why we are describing the RedLine operation as if it is an ongoing\r\nactivity.\r\nKey points of the blogpost:\r\nIn 2023, ESET researchers, in collaboration with law enforcement, collected multiple modules\r\nused to run the infrastructure behind RedLine Stealer.\r\nWe analyzed these previously undocumented modules to provide insight into the internal\r\nworkings of this malware-as-a-service empire.\r\nWe were able to identify over 1,000 unique IP addresses used to host RedLine control panels.\r\nThe 2023 versions of RedLine Stealer we investigated in detail used the Windows\r\nCommunication Framework for communication between the components, while the latest\r\nversion from 2024 uses a REST API.\r\nBased on our analysis of the source code and backend samples, we have determined that Redline\r\nStealer and META Stealer share the same creator.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 1 of 22\n\nRedLine Stealer is information stealing malware first discovered in 2020 by Proofpoint. Rather than being\r\ncentrally operated, RedLine operates on a MaaS model in which anyone can buy a turnkey infostealer solution\r\nfrom various online forums and Telegram channels. Clients, called affiliates, can opt for a monthly subscription,\r\nor a lifetime license; in exchange for their money, they get a control panel that generates malware samples and\r\nacts as a C\u0026C server for them. The generated samples can collect a large variety of information, including local\r\ncryptocurrency wallets; cookies, saved credentials, and saved credit card details from browsers; and saved data\r\nfrom Steam, Discord, Telegram, and various desktop VPN applications.\r\nUsing a ready-made solution makes it easier for the affiliates to integrate RedLine Stealer into larger campaigns.\r\nSome notable examples include posing as free downloads of ChatGPT in 2023, and masquerading as video game\r\ncheats in the first half of 2024.\r\nNote on terminology used\r\nBecause of its MaaS model, any comprehensive discussion of RedLine will involve multiple different\r\ncomponents and layers of network infrastructure. To limit any possible confusion, we will use the\r\nfollowing terms consistently throughout the text:\r\nRedLine malware: The RedLine Stealer malware or a sample thereof.\r\nRedLine panel: GUI control panel used to manage infostealing campaigns.\r\nRedLine backend: Collection of modules that provide authentication and functionality for the\r\nRedLine panel.\r\nRedLine: The whole malware operation. This includes the RedLine malware, the RedLine\r\npanel, and the RedLine backend modules.\r\nBackend server: A server on which the RedLine backend runs.\r\nVictim: Entity targeted with the RedLine malware.\r\nOperator: The individual or team that develops RedLine, sells licenses, and operates the\r\nlicensing and associated backend infrastructure.\r\nAffiliate: Entity that operates infostealing campaigns via an instance of the RedLine panel. They\r\nusually have a license bought from the operator, but may also use a cracked version of the panel.\r\nOverview\r\nIn this blogpost we document modules running on RedLine’s backend servers to provide a greater understanding\r\nof the inner workings of this MaaS empire. We also provide some information on the RedLine panel. Figure 1\r\ncontains a simplified overview of the whole RedLine operation.\r\nOrdinarily, known samples of RedLine panel distributed to affiliates are heavily packed and virtualized after the\r\nfirst layer of obfuscation is applied. But as we were looking through our telemetry for activity related to RedLine\r\nStealer and its panel, we came across an old version of the RedLine panel that was only obfuscated with .NET\r\nReactor, making it much easier to analyze.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 2 of 22\n\nFigure 1. Overview of actors and components involved in RedLine\r\nAll the components of RedLine, from the malware itself to the backend authentication server, are written in C#\r\nwith the .NET framework. The versions we analyzed used the Windows Communication Foundation (WCF)\r\nframework to communicate with each other. This framework allows one to define an API using contracts, which\r\nare statements applied to classes and interfaces to specify how objects and actions are translated between their\r\nrepresentation in the code and the network communications. Thus, programs that interact using this framework\r\nmust share definitions of these data structures or classes. These shared models proved useful in our analysis of the\r\nobfuscated components.\r\nNote that the latest 2024 RedLine version uses a REST API instead of WCF to communicate with the backend.\r\nRedLine panel\r\nThis control panel is what affiliates can buy on forums and Telegram channels. Licenses sell for US$150 per\r\nmonth or US$900 for a lifetime license. In exchange for the money, the affiliates get a GUI through which they\r\nmanage their campaigns, with features to configure what information to collect, create malware samples, view and\r\nmanage collected information, and integrate with a Telegram bot to sell stolen information.\r\nThe 2023 versions of the panel we investigated were heavily obfuscated using DNGuard, a well-known .NET\r\nobfuscator, and BoxedApp, a commercial packer and virtualization library. Luckily for us, RedLine used the WCF\r\nframework so the panel had to share some classes and interfaces with other components. By analyzing these\r\nshared elements from the malware and backend components, which are less protected, we were able to understand\r\na lot of the panel’s functionality despite the protections.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 3 of 22\n\nAll RedLine panels from 2023 were signed with certificates issued to AMCERT,LLC by Sectigo, which have\r\nsince been revoked after we reported them. AMCERT,LLC corresponds to a company registered in Armenia that\r\ndoesn’t seem to have an online presence – quite unusual for a purported software developer.\r\nAuthentication\r\nIn order to use a RedLine panel, affiliates must first authenticate. Figure 2 shows the login prompt.\r\nFigure 2. RedLine panel login prompt\r\nThe RedLine panels we analyzed use GitHub repositories, like the one in Figure 3, as dead-drop resolvers for their\r\nauthentication servers. The address of this repository is hardcoded in the panel, but it is not the same for all\r\nversions of the panel. Finding and removing several of these repositories in cooperation with GitHub is what\r\nenabled us to temporarily disrupt RedLine operations in April 2023. While the removal did not affect the\r\nmalware’s backend, it forced the operators to distribute new versions of the panels. For a short while after the\r\ndisruption, they moved the dead-drop resolvers to Pastebin, before choosing to use their own domains in May\r\n2023, as described in our joint talk with Flare at Sleuthcon 2023. In the latest version of the RedLine panel, the\r\nthreat actors abandoned the dead-drop resolvers completely and simply used a hardcoded URL\r\nhttps://fivto[.]online/secure-api/. More information on the dead-drop resolvers can be found in the Network\r\ninfrastructure section.\r\nBy running the backend server components in a virtual network, we managed to create affiliate accounts and\r\nauthenticate with our own instance without having to buy a subscription.\r\nFigure 3. GitHub repository used as a dead-drop resolver\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 4 of 22\n\nThe first screen shown to affiliates upon logging in, seen in Figure 4, is filled with ads. While we do not know the\r\nexact nature of the ads served by the real authentication servers, we were able to create some in our own instance\r\nof the backend server for demonstration purposes. The backend server doesn’t host the actual images present in\r\nthose ads, only their URLs.\r\nFigure 4. Advertisement tab of the RedLine panel with fake ads displayed for demonstration\r\npurposes\r\nThe Black Lists tab allows affiliates to ignore incoming data by country, IP address, Build ID, or HWID (a unique\r\nID computed from a victim machine’s domain name, username, and serial number). Regardless of the exclusions\r\nselected here, samples of RedLine Stealer all contain code to prevent execution if the locale is set to one of the\r\nfollowing countries: Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan,\r\nUkraine, and Russia.\r\nThe Telegram tab, shown in Figure 5, allows affiliates to configure a Telegram bot to post stolen data to specific\r\nchats or channels. The affiliate must provide a valid API token for the bot, and then can select which entries will\r\nbe shared based on the country, Build ID, OS version, and domains found in cookies or saved logins. The bot can\r\nalso be configured to share the full logs or only specific information as defined in the Message Format field, and\r\nto share statistics with the selected recipients (see Figure 6).\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 5 of 22\n\nFigure 5. Telegram bot configuration in the RedLine panel\r\nFigure 6. Telegram bot code for sharing statistics\r\nCreating malware samples in the front end\r\nThe Builder tab, shown in Figure 7, allows affiliates to create new RedLine Stealer samples by providing a\r\nRedLine panel server address, a Build ID, an error message to display, and an image to be used as the icon for the\r\ncreated sample. These last two are optional, with the image serving as the icon of the software RedLine is\r\nimpersonating, while the error message can be used to mislead the victim as to why the expected application\r\nwasn’t started.\r\nThe Build ID is used as a campaign identifier and is sent by the samples along with stolen information. While\r\nsome previously leaked versions of the RedLine panel included an executable to create builds locally, in newer\r\nversions this is performed by the backend server. This change makes any leaked or cracked RedLine panel much\r\nless useful since affiliates won’t have the ability to create samples to use with it. We describe the build process in\r\nthe RedLine.Nodes.LoadBalancer section.\r\nFigure 7. Builder tab of the RedLine panel\r\nRedLine backend\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 6 of 22\n\nThe RedLine backend we analyzed in 2023 consists of two modules. The first one, named\r\nRedLine.Nodes.DbController, manages affiliate and advertisement data. Despite its name, this module doesn’t use\r\na traditional database, but rather stores records as Protobuf-encoded objects in individual files, with a specific\r\nsubdirectory for each type of data. The second module, named RedLine.Nodes.LoadBalancer, functions as the\r\nserver and provides most of the functionality used by the RedLine panel.\r\nWe also found a module called RedLine.MainServer, which is probably the ancestor of\r\nRedLine.Nodes.DbController and RedLine.Nodes.LoadBalancer. In later versions, it was split off as a separate\r\nmodule that handles user and advertisement data.\r\nIn the 2024 version of the backend, DbController and LoadBalancer have been replaced by a single module named\r\nNodes.Api.\r\nRedLine.Nodes.DbController\r\nIn DbController, affiliate data is represented by a class named ClientData, detailed in Table 1.\r\nTable 1. Description of ClientData properties\r\nAttribute Description\r\nID Unique numeric ID.\r\nLogin Username.\r\nPassword Password.\r\nRegistrationDate Timestamp of the affiliate account’s creation.\r\nActivated Whether the affiliate has bought a license.\r\nLastActive Timestamp of the affiliate’s last activity.\r\nLastIP\r\nIP from which the affiliate’s last activity occurred. Used together with LastActive to\r\nprevent authentication if the affiliate’s account was active from another IP address in the\r\nlast five minutes.\r\nWe believe this is to prevent account sharing.\r\nPremium Unused in the modules we analyzed.\r\nActivateUntil Expiration timestamp of the affiliate’s license.\r\nBuildKey Unique string used to identify samples created by the affiliate.\r\nThis is mostly straightforward but presents a few interesting quirks, mainly the way passwords and lifetime\r\nlicenses are handled.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 7 of 22\n\nLooking at the code used to authenticate affiliates (shown in Figure 8) makes it obvious that passwords are stored\r\nin cleartext. The submitted password is compared directly to the stored one without any hashing function being\r\ninvolved.\r\nFigure 8. Excerpt of the function to handle affiliate logins in DbController\r\nFigure 9 shows that a lifetime license, which affiliates can buy for US$900, is represented by setting the expiration\r\ndate of a given license to any date after 2025. This is alternatively referred to as a Pro License elsewhere in the\r\ncode.\r\nFigure 9. Code from the LoadBalancer module used to check whether an affiliate has a lifetime\r\nlicense\r\nRedLine.Nodes.LoadBalancer\r\nAs seen in Figure 10, the LoadBalancer module listens on port 8778. This screenshot also shows the handlers\r\ndefined in the MainPanelService WCF contract. The handlers that are related to affiliate and advertisement data –\r\nnamely OnSignInInternal, OnConnect, OnCheckExpire, and OnGetPartners – delegate requests to the\r\ncorresponding handler of DbController. The OnCheckConnect handler is used by the Redline panel to check\r\nwhether its C\u0026C server is reachable from the exterior. The rest of the handlers all relate to the creation of malware\r\nsamples.\r\nFigure 10. Initialization code for the MainPanelService WCF service and its handlers\r\nSample creation in Redline backend\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 8 of 22\n\nSince it was first documented in 2020, RedLine Stealer has been rewritten to use the WCF framework, and later a\r\nREST API, for network communication. As seen in Figure 11, the internal name for these rewritten versions\r\nappears to be RedLine.Reburn.\r\nFigure 11. Code to obtain the path to the RedLine.Reburn solution\r\nTo create samples of the RedLine Stealer malware, the OnCreateLastBuild handler shown in Figure 10 uses the\r\nCreateBuild method from the custom VSBuilder class. When a CreateBuild request is received, the cleartext\r\npassword for the affiliate’s account is logged to the console. This shows a casual disregard for well-known\r\nsecurity practices.\r\nIf in the request no port is specified for the C\u0026C server, the builder defaults to port 6677. When building a\r\nsample, the code in Figure 12 is used to derive a token from the campaign’s Build ID and the affiliate account’s\r\nBuild Key. We believe this corresponds to the value of the ns1.Authorization header used in communication\r\nbetween the samples and panel. This header seems to be used by the panel to filter out connections from samples\r\nnot created by the current account.\r\nFigure 12. Code used to derive token values for RedLine Stealer samples\r\nThe VSBuilder.CreateBuild method uses a local C# solution to create samples. Some of the source files are read\r\ninto memory to replace specific values before being written back to disk. While we were unable to collect the\r\nproject’s files, the decompiler output for this method along with that of a RedLine Stealer sample provide enough\r\ncontext to understand that the modified values are:\r\nC\u0026C address (encrypted),\r\nBuild ID (encrypted),\r\nfake error message (encrypted),\r\ndecryption key,\r\nflag to indicate whether to send stolen information in parts or all at once,\r\nauthentication token, and\r\nassembly name.\r\nOnce these values are replaced, Visual Studio is invoked to build the project.\r\nIf the affiliate has selected the corresponding option, and has a lifetime license, the compiled executable is\r\nobfuscated with the commercially available Babel Obfuscator. In the 2024 version, obfuscation is implemented for\r\nall users and is done via .NET Reactor instead.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 9 of 22\n\nFinally, a self-signed certificate is generated with the code from Figure 13, and used to sign the executable. The\r\nfields of its Distinguished Name (DN) are filled with random dictionary words. The certificates generated this way\r\nuse the hardcoded password 123321 and have a validity period extending from seven days before their generation\r\nto 10 years after.\r\nFigure 13. Function that generates self-signed certificates with random words in the DN\r\nThe LoadBalancer module also provided an OnCreateClipper handler. As the name suggests, this was used to\r\ngenerate clipboard hijacking malware; in this case, it was used to hijack cryptocurrency transactions by replacing\r\nwallet addresses in the clipboard with those of attacker-controlled wallets. This functionality has been removed in\r\nthe latest versions of the Redline backend.\r\nInterestingly, the Builder class also contained dead code to generate a malware sample from a stub executable. We\r\nbelieve this was a leftover from the method used to generate previous versions of RedLine Stealer. The latest\r\nversion of the Redline backend does not contain the code anymore.\r\nAnother handler, named OnSignFile, allows affiliates with lifetime licenses to sign arbitrary files with a certificate\r\nlocated on the backend server. We were unable to collect this certificate, but have reason to believe that it may be\r\nthe same certificate used to sign RedLine panels, since it has also been used to sign a large number of RedLine\r\nStealer and other malware samples. Another likely candidate is the certificate with the thumbprint\r\n28F9A8E7601F5338BF6E194151A718608C0124A8, issued to Hangil IT Co., Ltd. This, likely stolen, certificate\r\nhas been used to sign many RedLine Stealer samples and other malicious files. It has already been revoked.\r\nRedLine.MainServer\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 10 of 22\n\nThe RedLine.MainServer module combines some of the functionality of the two previous modules with a GUI\r\nthat allows the admin to easily manage affiliate accounts and advertisement data. Despite this added functionality,\r\nmultiple factors indicate that this version of MainServer is probably an ancestor of LoadBalancer and\r\nDbController rather than a successor:\r\nMainServer samples are compiled with an older version of the .NET framework (4.6.2 vs 4.8).\r\nThe assembly’s copyright year is 2020 instead of 2021.\r\nSome MainServer samples do not contain functionality for advertisements.\r\nThe main WCF service’s contract (MainPanelService) does not include the IsAlive handler that is present\r\nin the same class as LoadBalancer. This handler is used by all the most recent RedLine panels we have\r\nanalyzed.\r\nNote that in later versions of the RedLine backend, the GUI administration panel has been split off into its own\r\nmodule also named MainServer.\r\nThe examined version of the GUI gave us interesting insight into RedLine management. It provides a form to\r\ncreate and edit affiliate account data, as shown in Figure 14. The fields correspond to the ClientData class\r\ndescribed previously.\r\nFigure 14. RedLine MainServer affiliate account management interface\r\nA similar form, in Figure 15, exists to manage advertisements.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 11 of 22\n\nFigure 15. RedLine MainServer advertisement management interface\r\nFinally, the rudimentary dashboard in Figure 16 gives the operator an overview of license sales.\r\nFigure 16. Statistic dashboard of the MainServer\r\nNodes.Api\r\nAnalysis of samples shared by Dutch law enforcement shows that in the latest RedLine versions, the\r\nfunctionalities of the LoadBalancer and DbController modules have been combined into a new one named\r\nNodes.Api. This backend module is packaged as a single-file .NET application and uses the WebApplication class\r\nfrom ASP.NET to provide the REST API used by the panels. As seen in Figure 17, the module handles requests\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 12 of 22\n\nsent to both RedLine (fivto[.]online) and META (spasshik[.]xyz) servers, showing that the two infostealers share\r\nthe same operators.\r\nFigure 17. Code to set up the listener for requests sent to both RedLine and META servers\r\nTable 2 lists the endpoints exposed by the REST API along with the corresponding WCF handler from previous\r\nversions.\r\nTable 2. RedLine endpoints\r\nEndpoint\r\nCorresponding WCF\r\nHandler\r\nDescription\r\n/api/test N/A\r\nProbably used to test connectivity. This simply\r\nreturns the value OK.\r\n/secure-api/sign-in OnSignInInternal Handles logins from the panel.\r\n/secure-api/getBanners OnGetPartners Returns the ads to be displayed in the panel.\r\n/secure-api/createFile OnCreateLastBuild Creates an instance of the stealer malware.\r\n/secure-api/checkConnect\r\nOnCheckConnect\r\nPings the specified address and port to check whether\r\nit is externally reachable.\r\n/secure-api/updateDb N/A\r\nMakes the backend reload affiliate data. This is only\r\ndone if the request comes from a loopback address.\r\n/edk92hd/createRandom N/A\r\nCreates a new affiliate entry with a random username\r\nand password.\r\n/edk92hd/renew N/A\r\nExtends the license validity period of the specified\r\naffiliate.\r\n/Panel.zip N/A\r\nReturns the Panel.zip file from disk. This password-protected archive contains the latest version of the\r\npanel.\r\nUnlike the 2023 versions of the backend we originally analyzed, lifetime licenses no longer appear in the code of\r\nthe new module. Since licenses of this type were still being sold, we believe they were likely handled by simply\r\nsetting their expiration to a date far in the future. Functionality related to code signing has also been completely\r\nremoved.\r\nSamples created by the Nodes.Api module are obfuscated using .NET Reactor if it is present at the hardcoded path\r\nC:\\Program Files (x86)\\Eziriz\\.NET Reactor\\dotNET_Reactor.exe. This corresponds to its default installation\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 13 of 22\n\npath.\r\nBeyond the aforementioned changes, features that were present in older versions behave much as they did before.\r\nHowever, a couple of interesting functionalities have been added.\r\nAffiliate management\r\nThree endpoints used to manage affiliate data are exposed. These appear to be meant for use only by the operator,\r\nbut this is handled in two very different ways. The /secure-api/updateDb endpoint causes the server to reload user\r\ndata from disk. Figure 18 shows the update method invoked by the MainServer module whenever a new entry is\r\ncreated or modified. The operation is only performed by the Nodes.Api module if the request comes from a\r\nloopback address, which prevents Panel users from using it.\r\nFigure 18. Method invoked by the MainServer module\r\nThe other two endpoints, /edk92hd/createRandom and /edk92hd/renew, use a different method of mitigating\r\nunauthorized access. As seen in Figure 19, they can only be invoked if the request contains an sko3s header set to\r\na seemingly random hardcoded value.\r\nFigure 19. Code for checking whether request contains the correct sko3s header\r\nBackups\r\nThe other interesting feature is the ability to back up affiliate data, functionality that was missing in the older\r\nversions of the code. Since this data is stored in a series of files on disk, the backup is a ZIP archive of the\r\ndirectory that contains the files. This archive is then sent via Telegram using a hardcoded Chat ID shown in Figure\r\n20.\r\nFigure 20. ZIP archive creation\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 14 of 22\n\nLinks with META Stealer\r\nMETA Stealer is the other infostealer disrupted alongside RedLine Stealer. According to an article by Kela, META\r\nStealer was first announced on cybercrime forums in March 2022. The author claimed that it used the same code\r\nas RedLine Stealer and provided the same functionality and panel. META Stealer hasn’t been investigated as\r\nthoroughly as RedLine Stealer, but our research indicates that the claims it initially made are accurate. Based on\r\nthe source code, the two infostealers are most probably made by the same person. While there are some\r\ndifferences, most of the code is the same with instances of the string RedLine replaced by Meta. As can be seen in\r\nFigure 21, the code that is commented out to be inactive in RedLine is present in META.\r\nFigure 21. RedLine Stealer (left), and META Stealer (right) source code comparison\r\nAs we already mentioned, another piece of evidence pointing towards RedLine and META having the same\r\noperators is seen in the code of the Nodes.Api module, which handles requests sent to both RedLine and META\r\nservers, as shown in Figure 17.\r\nWe also found two samples of the META panel signed with a certificate that was also used to sign samples of the\r\nRedLine panel. This panel used the same dead-drop resolver schemes, going as far as using the same AES and\r\nRSA keys, only with a different GitHub repository. Additionally, as Figure 22 shows, a comparison of the panels\r\nused by META and RedLine reveals only minor cosmetic differences.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 15 of 22\n\nFigure 22. Panel login prompts for RedLine (top) and META (below)\r\nMETA Stealer uses the same combination of DNGuard and BoxedApp to protect its panel from analysis.\r\nHowever, META’s authentication process could not be completed when run against our instance of the RedLine\r\nbackend from 2023, so it seems to have been modified from that of RedLine.\r\nNetwork infrastructure\r\nBy parsing samples of RedLine that we detected between November 30th, 2022 and March 23rd, 2023, we were\r\nable to identify over 1,000 unique IP addresses used to host RedLine panels. Figure 23 shows the geographical\r\ndistribution of these hosted panels. Russia, Germany, and the Netherlands each account for about 20% of the total,\r\nwhile Finland and the United States each represent around 10%. Even though this data only comes from samples\r\ntargeting our customers, we believe it paints a fairly accurate picture with regards to the overall distribution of the\r\nmalware.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 16 of 22\n\nFigure 23. Heatmap showing the geographical distribution of hosted RedLine panels\r\nWe were also able to identify multiple distinct backend servers. It’s likely that there were more in the dead-drop\r\nresolvers that we couldn’t decrypt. Based on their geographical distribution, shown in Figure 24, the servers are\r\nmainly located in Russia (about a third of them) while the UK, the Netherlands, and the Czech Republic each\r\nrepresent around 15% of the servers we identified.\r\nFigure 24. Heatmap showing the geographical distribution of RedLine backend servers\r\nDead-drop resolvers\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 17 of 22\n\nAs we already mentioned, the 2023 versions of the RedLine panel used GitHub repositories as dead-drop resolvers\r\nfor its authentication servers. These repositories all contained a file with an encrypted list of server addresses. The\r\nfile was encrypted using a custom module simply named RSA. In one version of this module, shown in Figure 25,\r\nthe list was encrypted using AES-CBC with a hardcoded key and IV, and saved to a file named\r\nnodesUpdate.config.\r\nFigure 25. EncryptHosts function with hardcoded AES key and IV\r\nMore recent versions, which were in use at least until mid 2024, employ RSA encryption instead (see Figure 26),\r\nwith the output written to a file named nodes.config. In this case, the key is read from a file rather than being\r\nhardcoded in the executable. However, the class used to perform RSA encryption is also present in the\r\nLoadBalancer module, with hardcoded default values for the public and private keys. Note the use of “nodes”\r\nagain to refer to the backend servers.\r\nFigure 26. RSA encryption and decryption functions with hardcoded default keys\r\nWe have observed GitHub repositories that contain at least one such encrypted file. Along with the keys shown\r\nabove, we were able to extract an RSA private key from a sample of the panel. This allowed us to obtain lists of\r\nauthentication servers, which we shared with law enforcement agencies.\r\nConclusion\r\nBefore Operation Magnus, RedLine was among the most widespread of infostealer malware with a very large\r\nnumber of affiliates using its control panel. However, the malware-as-a-service enterprise seems to be orchestrated\r\nby only a handful of people, some of whom have been identified by law enforcement.\r\nMETA Stealer, RedLine Stealer’s clone and most probably created by the same threat actors, made its entry into\r\nthe field in 2022. It does not appear to be a successor to RedLine, since the development of both families has\r\ncontinued in parallel. It was taken down alongside RedLine Stealer.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 18 of 22\n\nOur in-depth analysis of the behind-the-scenes parts of RedLine – its control panel and backend – hopefully\r\nprovides a more holistic understanding of this threat.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n1AD92153B56FC0B39F8F\r\nCEC949241EC42C22FA54\r\nNodes.Api.exe N/A\r\nRedLine backend\r\nsingle-file\r\napplication.\r\n8A0CAFE86C0774F1D9C7\r\nF198505AE15D04447DD6\r\nMainServer.exe N/A\r\nRedLine backend\r\nuser and\r\nadvertisement\r\nmanagement\r\nmodule (2024\r\nversion).\r\n607DBA5F630A1DBFF0E1\r\n3EEBA2730AB9AB2FB253\r\nNodes.Api.dll N/A\r\nRedLine backend\r\nmain module.\r\nFB3ABAC1FAC852AE6D22\r\nB7C4843A04CE75B65663\r\nPanel.exe MSIL/Spy.RedLine.O\r\nMETA stealer\r\npanel (2024\r\nversion).\r\nEE153B3F9B190B1492DE\r\nFBB1C70830A28F7C41B2\r\nRedLine.MainPanel.exe MSIL/Spy.RedLine.H\r\nRedLine stealer\r\npanel (2024\r\nversion).\r\n1AB006B1C5403BA46480\r\n59DF93B6DAEB0E3EC43F\r\nPanel.exe MSIL/Spy.RedLine.O\r\nRedLine stealer\r\npanel (2024\r\nversion).\r\nDC3A236245AE8C4D5D07\r\n9E429ED6B77A5B5245C2\r\nRedLine.MainServer.exe N/A\r\nRedLine backend\r\nlicensing server\r\nGUI.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 19 of 22\n\nSHA-1 Filename Detection Description\r\n06A2A900561C122F4508\r\n8A5EAE9146F7675C63F6\r\nrsa.exe N/A\r\nTool to encrypt the\r\nlist of C\u0026C\r\nservers.\r\n1626F2666782710FC28D\r\n4AFE607C7BE54F1FC67F\r\nRedLine.Nodes\r\n.LoadBalancer.exe\r\nN/A\r\nRedLine backend\r\nserver module.\r\n37D1221CE6BB82E7AD08\r\nFD22BD13592815A23468\r\nRedLine.SharedModels\r\n.dll\r\nMSIL/Spy.RedLine.K\r\nRedLine WCF\r\nmodels and\r\ncontracts\r\ndefinitions.\r\n66C0E7E74C593196E092\r\n5A7B654E09258E3B1FB7\r\nPanel.exe Win32/GenCBL.ATC\r\nRedLine panel\r\n(v22.4).\r\n2E5D9F2ED82C81609F4C\r\n49EA31642B1FB5FC11B5\r\nRedLine.MainPanel.exe MSIL/Spy.RedLine.H\r\nRedLine panel\r\n(non-virtualized).\r\n47B78A5698A289C73175\r\nC5C69786DE40C7C93C12\r\nRedLine.SharedModels\r\n.dll\r\nMSIL/Spy.RedLine.J\r\nRedLine models\r\nand contracts\r\ndefinitions.\r\n49BE1D7C87AC919BB908\r\n3FA87F7B907E5F2C9835\r\nPanel.exe MSIL/Spy.RedLine.H\r\nMETA Stealer\r\nPanel.\r\n4BF4D42EED7FCA8FD528\r\n63B7020AC646EC6D97E9\r\nRedLine.Nodes\r\n.DbController.exe\r\nN/A\r\nRedLine backend\r\nserver user and\r\nadvertisement\r\nmanagement\r\nmodule.\r\n27BD472729439D5B8814\r\nD4A8A464AF9832198894\r\nPanel.exe MSIL/Spy.RedLine.H\r\nRedLine panel\r\n(v26).\r\nA154DFAEDC237C047F41\r\n9EB6884DAB1EF4E2A17D\r\nPanel.exe MSIL/Spy.RedLine.H\r\nRedLine Panel\r\n(leaked cracked\r\nversion).\r\nNetwork\r\nNote that the domains in the table below have been seized by law enforcement. The other panel and server\r\naddresses that we collected were shared with law enforcement agencies on a regular basis to help in their actions\r\nand are no longer active.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 20 of 22\n\nIP Domain Hosting provider First seen Details\r\nN/A spasshik[.]xyz N/A 2024-06-02 META backend REST server.\r\nN/A fivto[.]online N/A 2024-08-03 RedLine backend REST server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nInstances of the RedLine back end are hosted\r\non leased virtual private servers.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nInstances of the RedLine back end are hosted\r\non servers that appear to be exclusive to\r\nRedLine.\r\nT1587.001\r\nAcquire Infrastructure:\r\nWeb Services\r\nOperators of RedLine have created multiple\r\nGitHub accounts and repositories.\r\nT1587.002\r\nDevelop Capabilities:\r\nMalware\r\nOperators of RedLine have developed their\r\nown malware families, control panels, and\r\nback-end servers.\r\nT1588.003\r\nDevelop Capabilities:\r\nCode Signing\r\nCertificates\r\nThe RedLine back end automatically\r\ngenerates self-signed certificates when\r\ncreating samples.\r\nT1608.002\r\nObtain Capabilities:\r\nCode Signing\r\nCertificates\r\nRedLine panels are signed with valid\r\ncertificates issued to AMCERT,LLC.\r\nT1608.001\r\nStage Capabilities:\r\nUpload Malware\r\nBack-end components of RedLine are\r\nuploaded to private servers.\r\nDefense\r\nEvasion\r\nT1622 Debugger Evasion\r\nThe RedLine panel automatically terminates\r\nitself if it detects a debugger or analysis\r\ntools.\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nSamples of the RedLine panel are packed\r\nusing DNGuard and BoxedApp.\r\nCommand and\r\nControl\r\nT1132.001 Data Encoding: Standard\r\nEncoding\r\nRedLine makes extensive use of base64\r\nencoding in its network communications.\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 21 of 22\n\nTactic ID Name Description\r\nNetwork communication uses the standard\r\nbinary encoder of the WCF framework.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nCommunications between the panel and\r\nback-end server use AES encryption.\r\nIn some cases, dead-drop resolver content is\r\nencrypted with AES-CBC.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric\r\nCryptography\r\nCommunications between the panel and\r\nback-end server use RSA encryption.\r\nIn some cases, dead-drop resolver content is\r\nencrypted with RSA.\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nNetwork communication in recent versions is\r\ndone via a REST API over HTTPS.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nNetwork communication is done with the\r\nWCF Framework over TCP.\r\nT1102.001\r\nWeb Service: Dead Drop\r\nResolver\r\nThe RedLine panel uses GitHub repositories\r\nas dead-drop resolvers to obtain the address\r\nof back-end servers.\r\nT1571 Non-Standard Port\r\nBy default, the RedLine panel’s Guest Links\r\nfunctionality runs an HTTP server on port\r\n7766.\r\nSource: https://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nhttps://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/"
	],
	"report_names": [
		"life-crooked-redline-analyzing-infamous-infostealers-backend"
	],
	"threat_actors": [],
	"ts_created_at": 1775434220,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5157f8f15131e0048e788d392b07b2d02da9ad2.pdf",
		"text": "https://archive.orkl.eu/a5157f8f15131e0048e788d392b07b2d02da9ad2.txt",
		"img": "https://archive.orkl.eu/a5157f8f15131e0048e788d392b07b2d02da9ad2.jpg"
	}
}