{
	"id": "04cdfccf-76af-4d79-b29e-fd35bde9aac1",
	"created_at": "2026-04-06T00:22:22.188816Z",
	"updated_at": "2026-04-10T13:13:04.020544Z",
	"deleted_at": null,
	"sha1_hash": "b08049522aa14d9d2b4862c1185618c696d93440",
	"title": "REDLINESTEALER Malware Driving the Initial Access Broker Market",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39215,
	"plain_text": "REDLINESTEALER Malware Driving the Initial Access Broker\r\nMarket\r\nBy Laurie Iacono, Keith Wojcieszek, George Glass\r\nPublished: 2024-08-14 · Archived: 2026-04-05 15:06:23 UTC\r\nKroll frequently sees threat actors, particularly ransomware gangs, leveraging valid accounts to gain a foothold in\r\ncorporate networks. Many of these gangs rely on information stealing malware as a means to obtain such\r\ncredentials. REDLINESTEALER is one of the most common varieties of infostealer that Kroll currently\r\nencounters. Infostealer logs are a significant factor in the initial access broker market. Threat actors sell access\r\nthey have gained to corporate environments, to ransomware operators who then complete the attack chain and\r\nextort the victim.\r\nInfostealers are most commonly deployed via phishing, malvertising and fake or misleading posts on social media.\r\nThreat actors aim to infect as many individuals as possible to collect their credentials. This presents an unseen risk\r\nto corporate environments as employees' personal machines can become infected. These might contain credentials\r\nthat provide access to corporate credentials or present a threat through reuse, enabling threat actors to test them\r\nagainst edge services such as VPN, email platforms or application gateways. \r\nCharacteristics of REDLINESTEALER\r\nFirst seen in around 2020, REDLINESTEALER is available on underground forums as a monthly subscription\r\nservice. This gives attackers access to the REDLINESTEALER panel and the ability to pack the malware and\r\ncollect the logs of stolen information. Its main functionality is to steal data such as passwords, credit card\r\ninformation, usernames, locations, cookies and hardware configuration from infected systems. \r\nREDLINESTEALER collects this data from a number of sources, including:\r\nInstalled browsers, such as SQLite databases\r\nVPN credentials\r\nCrypto wallets (such as files containing *.wallet)\r\nChat messages\r\nFileZilla credentials\r\nREDLINESTEALER can gather detailed information about victims’ systems, such as IP address, city and country,\r\noperating system, administrator privileges and information about infected PC hardware and graphic cards, as well\r\nas identifying any installed antivirus software on the system.\r\nIf REDLINESTEALER is found to have been executed on a device, it is safe to consider that any credentials\r\nstored locally on that device have been compromised. REDLINESTEALER can also download files, making it\r\nlikely that further payloads could be deployed to a victim device, should a threat actor require more functionality\r\ndepending on their objectives, such as high bandwidth data exfiltration or ransomware.\r\nhttps://www.kroll.com/en/publications/cyber/redlinestealer-malware\r\nPage 1 of 2\n\nCybercriminals deliver REDLINESTEALER in a number of ways. They have been found posting sponsored\r\nadverts on hijacked Facebook business and community pages. These offer free downloads of AI chatbots such as\r\nChatGPT and Google Bard but lead users to download REDLINESTEALER. In November 2023, a new version of\r\nthe ScrubCrypt obfuscation tool was identified as being available for sale on dark web marketplaces and used to\r\nlaunch account takeover and fraud attacks with REDLINESTEALER.\r\nIn Q4 2023, Kroll investigated a surge in cases in which users downloaded a file associated with\r\nREDLINESTEALER. In these instances, the lure was a PDF converter software, on the URL\r\n“pdfconvertercompare[.]com. It is likely that users accessing the page were searching for a legitimate copy of a\r\ntool or searching  innocuous phrases such as 'printable calendars' or 'business models' and being presented with the\r\nmalicious URL at the top of their search results. Once on the site, it contained a description of the alleged tool\r\nabove a download button. The subsequently downloaded file was \"PdfConverters.exe\", which Kroll identified as\r\nREDLINE. The file had a low anti-virus detection rate at eight vendors detecting out of 69. Within Kroll cases,\r\ninteraction with the file caused it to be quarantined at the point where the process \"WmiPrvSE.exe\" interacted\r\nwith the file to either execute or delete the file.  \r\nKroll has previously reported on similar tactics used by other infostealers such as VIDAR, leveraging Google Ads\r\nto masquerade as a legitimate site to download popular software. \r\nSource: https://www.kroll.com/en/publications/cyber/redlinestealer-malware\r\nhttps://www.kroll.com/en/publications/cyber/redlinestealer-malware\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kroll.com/en/publications/cyber/redlinestealer-malware"
	],
	"report_names": [
		"redlinestealer-malware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434942,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b08049522aa14d9d2b4862c1185618c696d93440.pdf",
		"text": "https://archive.orkl.eu/b08049522aa14d9d2b4862c1185618c696d93440.txt",
		"img": "https://archive.orkl.eu/b08049522aa14d9d2b4862c1185618c696d93440.jpg"
	}
}