{
	"id": "dcc0c48b-8ad6-46e6-afc1-ec66ab0a9aa7",
	"created_at": "2026-04-06T00:07:14.32095Z",
	"updated_at": "2026-04-10T03:22:13.750991Z",
	"deleted_at": null,
	"sha1_hash": "b2cfaa30bd024bcffefe03b3e3c8edb1a08bdee3",
	"title": "Do Not Cross The 'RedLine' Stealer: Detections and Analysis | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4245643,
	"plain_text": "Do Not Cross The 'RedLine' Stealer: Detections and Analysis |\r\nSplunk\r\nBy Splunk Threat Research Team\r\nPublished: 2023-06-01 · Archived: 2026-04-05 13:41:50 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nRedLine Stealer is a malware strain designed to steal sensitive information from compromised systems. It is\r\ntypically distributed through phishing emails, social engineering tactics, and malicious URL links.\r\nSince it was released, threat actors and adversaries have leveraged RedLine Stealer because of its availability and\r\nflexibility for stealing credentials that can cause financial loss and data leakage. In 2020, there was a RedLine\r\ncampaign that targeted both enterprise and personal devices. Many industries received these malicious campaigns,\r\nbut the most impacted was the Healthcare and manufacturing sectors. Recently this year (May 10, 2023), there\r\nwas a RedLine campaign found by stormshield that used a malicious chrome extension that will download several\r\nmalware like Smoke Loader and Amadey Trojan. Amadey malware is a botnet that is being used now to distribute\r\nRedLine malware to steal data such as browser credentials, crypto wallets and even credit card information.\r\nThis malicious software has been in the top malware sample shared for months on anyrun statistics reports as well\r\nas in Malware bazaar.\r\nIn this blog post, the Splunk Threat Research Team provides a deep dive analysis of this threat and valuable\r\ninsights to enable blue teamers to defend and detect this malware variant.\r\nBlog details include:\r\nAnalysis of the phishing URLs\r\nThe RedLine Loader\r\nThe RedLine Stealer Capabilities\r\nSplunk Security Content\r\nSpear Phish Link Data\r\nThe operators behind RedLine Stealer use several techniques to gain initial access to their victims. One common\r\ninitial access technique that this Trojan Stealer uses is a phishing URL link. To gain more insight on how this\r\nmalware executes its campaign, the Splunk Threat Research Team (STRT) collected 90 days of URL data from\r\nURLhaus and used Jupyter Notebooks to analyze the dataset to identify trends of the RedLine URL links. Figure 1\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 1 of 13\n\nshows the list of URLs from the data related to RedLine Stealer. Based on URL tags, we can see that this Trojan is\r\nalso bundled, downloaded or dropped by other malware like Amadey or SmokeLoader.\r\nFigure 1\r\nUsing the URLhaus dataset, we can also learn that RedLine Stealer abuses several known legitimate file/code\r\nsharing and collaboration platforms for its campaigns. Figure 2 shows the top 20 domains that RedLine Stealer\r\nused to host its malware. Based on the list below, the most commonly abused legitimate file sharing domains are\r\nGitHub, Dropbox, Discord, Bitbucket, OneDrive and Google Drive.\r\nThe use of these legitimate platforms allows threat actors or adversaries to evade detections or to blend in its C2\r\ncommunication with other normal network traffic so security solutions will not raise any red flags or detection\r\nalerts.\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 2 of 13\n\nFigure 2\r\nIn the following section, we explore a recent RedLine Loader used, the defense evasion technique and RedLine\r\nStealer capabilities.\r\nThe Splunk Threat Research Team found an interesting RedLine Stealer Loader that was compiled as Win32\r\nCabinet self extractor executable (wextract) (1) (2). This self-extracting archive is a type of compressed file that\r\ncontains multiple files and can be executed as a program. When a user runs a self-extracting archive, the contents\r\nof the archive are extracted to a specified location on the system.\r\nFigure 3 shows a simple flow diagram of how RedLine Stealer uses a loader in the form of a self-extracting\r\narchive (.exe) to initiate its infection. This loader then executes two more self-extracting archive executables that\r\nare responsible for decrypting a shellcode to load the Amadey Trojan and two instances of the RedLine Stealer\r\nmalware onto the system. Additionally, the loader also executes a .NET executable that is responsible for defense\r\nevasion.\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 3 of 13\n\nFigure 3 (For a larger resolution of this diagram visit this link)\r\nDefense Evasion Component\r\nAs described in Figure 3, the Redline Loader will also load an executable named it532878.exe, which is a .NET\r\nexecutable that is responsible for defense evasion. Figure 4 shows the code snippet of this RedLine component\r\nthat will do the following:\r\n1. Escalate its privilege as administrator or trustedinstaller\r\n2. Try to disable Windows Defender service “WinDefend”\r\n3. Try to disable Tamper Protection settings of Windows Defender.\r\n4. Try to Disable AntiSpyware, Real Time Protection and notification of Windows Defender.\r\n5. Disable Windows update services such as (“wuauserv”, “WaaSMedicSvc”, “UsoSvc”)\r\n6. Disable Automatic Update and change Windows configurations related to Windows Update\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 4 of 13\n\nFigure 4\r\nRedLine Stealer Deep Dive\r\nC2 Connection Check\r\nRedLine Stealer is designed to be stealthy and avoid detection by security software. Therefore, it typically starts\r\nby decrypting its initial configuration data, which is often encoded or encrypted to prevent detection. It starts its\r\ncode by decrypting its initial configuration that the malware needs to connect to its Command and Control (C2)\r\nserver and receive instructions on how to operate. This includes the domain or IP address of the C2 server, as well\r\nas the connection IDs and keys that are used to establish a secure connection. Figure 5 shows the code of the\r\ndecryption algorithm used by RedLine Stealer to decrypt its initial configuration data which is a combination of\r\nBase64 and XOR functions.\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 5 of 13\n\nFigure 5\r\nOnce the initial configuration data has been decrypted, it will constantly check its bind connection to its C2 server\r\nto download further command arguments or other configuration settings that will dictate what functionality will be\r\nenabled for its malicious client file.\r\nFigure 6 shows the code of RedLine that consistently checks the connection of its client malware to the C2 server.\r\nIf the connection fails, It will break and throw an exception. If the C2 server is already down or offline during\r\nanalysis, this piece of code can be considered an anti-sandbox technique because RedLine will not continue its\r\nexecution.\r\nFigure 6\r\nAfter establishing a connection to its C2, it will fetch another configuration setting data from its C2 server that\r\nwill fill the ScanningArg() class, which is a data structure of boolean variables that will serve as a switch to\r\nRedLine functionality.\r\nFigure 7 shows the snippet of ScanningArg() class data member of RedLine which accepts either ON or OFF\r\n(True or False) values to enable the chosen RedLine settings or functions.\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 6 of 13\n\nFigure 7\r\nRedLine Capabilities\r\nRedLine Stealer has several features that will be executed depending on the configuration setting it downloaded\r\nfrom its C2 to steal information from the compromised or targeted host. Figure 8 is the screenshot showing several\r\nfunction capabilities of RedLine that we renamed during our analysis.\r\nFigure 8\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 7 of 13\n\nGather System Information\r\nAs stated earlier, RedLine Stealer has the ability to collect or extract various types of system information from a\r\ntargeted or compromised computer. The information that this malware can retrieve may be sensitive and can\r\npotentially compromise the security and privacy of the affected system.\r\nTo provide a more detailed explanation, the table summary below shows each of the functions of the RedLine\r\nStealer malware and describes the specific information that each function attempts to gather.\r\nScreen Capture\r\nBased on one of the RedLine samples we analyzed, we saw that it has a functionality to capture a screenshot of the\r\ntargeted or compromised host as part of its data collection and exfiltration. In Figure 9 above, the function we’ve\r\nrenamed as func_ScanScreen() is the one responsible for this screen capture capability. RedLine uses .NET\r\nGraphics class CopyFromScreen Function() to transfer a bit block of color data from the screen to the Graphic\r\ndrawing surface that will be saved in memory stream for data exfiltration.\r\nFigure 9\r\nCracking Browser Password\r\nOne of the powerful capabilities of this Trojan Stealer is cracking browser sensitive information like passwords,\r\ncookies, autofill and credit card information saved within the browser application. Figure 10 shows a simple\r\ndiagram of how RedLine Stealer was able to decrypt the password saved in the chrome browser. It starts by\r\nlocating and copying two specific file of Chrome profiles namely as\r\n“%userprofile%\\Appdata\\Local\\Google\\Chrome\\User data\\Local State” and\r\n“%userprofile%\\Appdata\\Local\\Google\\Chrome\\User data\\Default\\Login Data” in the%temp% folder. Afterward\r\nit will read the copied “Local State” file to grab the encoded and encrypted master key to decrypt the password\r\nstored in the “Login Data”. The master key is encoded with Base64 and encrypted using Windows\r\nCryptProtectData() API.\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 8 of 13\n\nOnce the master key is decrypted, it will parse the AES IV (Initialization vector) and the encrypted password in\r\nthe copied “Login Data” database file to decrypt it using AES GCM algorithm. The decrypted password will be\r\nsent to its C2 Server as part of its data exfiltration.\r\nFigure 10\r\nLooking For Browser Extensions\r\nThis malware can also steal wallet files by scanning Chrome wallet browser extensions. Figure 11 shows the\r\nRedLine Stealer code and how it enumerates several known Crypto Wallet directories and looks for files related to\r\ncrypto currencies by looking for files having “wallet” substring on its file name.\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 9 of 13\n\nFigure 11\r\nThe table below shows some of the targeted Chrome browser extensions that RedLine Stealer tries to parse to look\r\nfor Crypto Wallets. These extensions are popular among cryptocurrency users and are used to manage and store\r\ntheir cryptocurrency wallets' sensitive information.\r\nRedLine Stealer can also retrieve information related to the following:\r\n1. VPN (Nord, OpenVPN, ProtonVPN) profiles\r\n2. FileZilla credentials\r\n3. Discord, Telegram and Steam Token Information\r\nIOCs\r\nDetections\r\nThe Splunk Threat Research Team has curated relevant detections and tagged them to the RedLine Stealer\r\nAnalytic Story to help security analysts detect adversaries leveraging the RedLine malware.\r\nFor this release, we used and considered the relevant data endpoint telemetry sources such as:\r\nProcess Execution \u0026 Command Line Logging\r\nWindows Security Event ID 4663, Sysmon, or any Common Information Model compliant EDR\r\ntechnology\r\nWindows Security Event Log\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 10 of 13\n\nWindows System Event Log\r\nWindows PowerShell Script Block Logging\r\nWe maximized the usage of Windows Security EventCode 4663 for this analytic story. An event that is logged\r\nwhenever an attempt is made to access an object (such as files, registry or directories) in the Windows file system.\r\nThis EventCode can be helpful to monitor suspicious processes accessing critical files or folders like browser\r\ndatabases for credential dumping and data collection.\r\nAs an example, we used this event to develop the analytic “Windows Query Registry UnInstall Program List'' that\r\nmonitors suspicious processes accessing “uninstall registry”. This registry is being abused by several malware and\r\nAPT to list all installed applications in the compromised or targeted host.\r\n`wineventlog_security` EventCode=4663\r\nobject_file_path=\"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\*\"\r\n | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name\r\nobject_file_path process_name process_path process_id EventCode dest\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nFigure 12\r\nAnother analytic “Windows Credentials from Password Stores Chrome Login Data Access” detects suspicious\r\nnon-Chrome processes accessing the “Login Data” database file of Chrome. Figure 13 shows how this analytic\r\ndetects the simulated behavior of RedLine\r\nStealer, in Python script, in cracking browser sensitive information.\r\n`wineventlog_security` EventCode=4663\r\nobject_file_path=\"*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\"\r\n AND NOT (process_path IN (\"*:\\\\Windows\\\\explorer.exe\",\r\n\"*:\\\\Windows\\\\System32\\\\dllhost.exe\", \"*\\\\chrome.exe\"))\r\n | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name\r\nobject_file_path process_name process_path process_id EventCode dest\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 11 of 13\n\nFigure 13\r\nOverall, the RedLine Stealer analytic story introduces 25 detections across MITRE ATT\u0026CK techniques.\r\nAutomated Playbooks\r\nAll of the detections associated with this analytic story create entries in the Splunk Enterprise Security risk index\r\nby default and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. Additionally, the\r\nAutomated Enrichment playbook pack would also work well with the output of any of these analytics.\r\nWhy Should You Care?\r\nThis blog enables security analysts, blue teamers and Splunk customers to identify RedLine Stealer malware by\r\nhelping the community discover RedLine Stealer tactics, techniques and procedures that are being used by several\r\nthreat actors and adversaries (APT). By understanding its behaviors, we were able to generate telemetry and\r\ndatasets to develop and test Splunk detections designed to defend and respond against this threat.\r\nCyber defenders need to design and deploy effective monitoring capabilities that allow them to detect and respond\r\nto RedLine Stealer malware attacks.\r\nLearn More\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions if you need an invitation to our Splunk user groups on\r\nSlack.\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 12 of 13\n\nContributors\r\nWe would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team\r\nfor their contributions: Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and\r\nPatrick Bareiss.\r\nSource: https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nhttps://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html"
	],
	"report_names": [
		"do-not-cross-the-redline-stealer-detections-and-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434034,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2cfaa30bd024bcffefe03b3e3c8edb1a08bdee3.pdf",
		"text": "https://archive.orkl.eu/b2cfaa30bd024bcffefe03b3e3c8edb1a08bdee3.txt",
		"img": "https://archive.orkl.eu/b2cfaa30bd024bcffefe03b3e3c8edb1a08bdee3.jpg"
	}
}