{
	"id": "878e3d1d-5c7c-4c69-8466-aef17f8ebfb8",
	"created_at": "2026-04-06T00:08:14.373396Z",
	"updated_at": "2026-04-10T03:22:02.419822Z",
	"deleted_at": null,
	"sha1_hash": "c77421a20a8ec92cd902b93118c96ef4f7b58f45",
	"title": "Evolving Info-Stealers: RedLine, Raccoon \u0026 New Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2470553,
	"plain_text": "Evolving Info-Stealers: RedLine, Raccoon \u0026 New Threats\r\nPublished: 2022-07-13 · Archived: 2026-04-05 16:28:24 UTC\r\nThe Next Generation of Info Stealers\r\nBy KELA Cyber Team\r\nEdited by Ben Kapon\r\nPublished July 13, 2022\r\nIn recent years, information-stealing Trojans have become a very popular attack vector. This type of malware is\r\nused for harvesting saved information on machines including usernames and passwords (“logs”) which are further\r\nsold on automated botnet marketplaces such as RussianMarket, TwoEasy, and Genesis, or privately. If purchased\r\nby threat actors, these credentials pose a significant risk to an organization, as they allow actors to access various\r\nresources which may result in data exfiltration, lateral movement, and malware deployment, such as ransomware.\r\nSome of the most popular info-stealers advertised on cybercrime forums and identified on these marketplaces are\r\nRedLine, Raccoon, and Vidar. While some of these commodity stealers remain relevant, KELA observed that the\r\nthreat landscape started to change under various conditions. The Russia-Ukraine war, the info-stealer operators’\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 1 of 16\n\nneed to improve malware capabilities, and their financial motivation, resulted in new stealers and services\r\nbecoming available.\r\nThis report focuses on the currently active information stealers, highlighting the evolution of the old stealers, as\r\nwell as the debut of new ones.\r\nDiversification of Stealers\r\nChanges in the threat landscape, as listed above, have determined a more evident diversification of stealers. While\r\nsome of the well-known commodity information stealers continue to stay relevant for threat actors and be\r\nobserved in malicious campaigns, other options, such as private stealers, have also become available. Commodity\r\ninformation stealers refers to malware and tools that are widely available for purchase on cybercrime forums and\r\nmarkets, thus used by a wide range of threat actors. Private information stealers, on the other hand, refers to\r\ncustomized malware that is not made available to all threat actors, mostly to avoid being widely spread and losing\r\nthe capability to remain undetected by security tools.\r\nIn this chapter, KELA highlights both the journey of commodity stealers and how they evolved and changed over\r\ntime, and the newly advertised private stealers.\r\nThe Journey of Commodity Stealers RedLine Stealer\r\nRedLine has been advertised and sold on various cybercrime forums since early 2020. For instance, threat actor\r\nGlade aka REDGlade, potentially one of the RedLine developers, first announced the stealer in February 2020 on\r\nthe WWH Club and BHF forums and the Telegram channel. The RedLine stealer is still being sold for USD150\r\nper month or for USD800 for the “pro” unlimited version.\r\nThe information-stealing malware seems to maintain its popularity among threat actors, a fact confirmed by the\r\nnumber of infected machines listed on marketplaces. For instance, the TwoEasy marketplace currently has around\r\n575,000 bots available for sale, out of which over 55% are machines infected with RedLine. When compared\r\nwith KELA’s analysis on December 21, 2021, this seems to be a continuing trend for the info-stealer.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 2 of 16\n\nUser Glade introduces RedLine Stealer. Source: WWH Club\r\nAs more and more users are anxiously looking to acquire the RedLine software, complaints have been recorded\r\nregarding the delays in the support chat.\r\nUser complaining about delays. Source: WWH Club\r\nA common tactic observed among users is to try the “cracked” free versions for testing purposes, to avoid\r\npurchasing the software, however, with less successful outcomes.\r\nSource: XSS\r\nUser claiming that the logs obtained with the “cracked” version are also sent to others. Source: BHF\r\nWhile RedLine still remains relevant, it is evident that the information stealer is not fulfilling the expectations of\r\nall users, therefore some of them choose to look for alternatives.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 3 of 16\n\nDistribution of bots offered for sale in Russian Market in January 2022 – July 2022, by stealer, as collected by\r\nKELA’s systems\r\nRaccoon Stealer\r\nRaccoon stealer was among the recommendations for users willing to leave RedLine. The information stealer was\r\noffered for rent for USD200 per month for basic use plus USD50 for additional services. However, on March 25,\r\n2022, the operators announced that, after three years of activity, they are suspending the project due to the loss of\r\ntheir developer during Russia’s invasion of Ukraine (“the special operation”). They stated that the project will\r\nreturn in an optimized form in a few months.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 4 of 16\n\nSource: XSS\r\nSeveral users expressed their disappointment following Raccoon’s decision to suspend the operations stating that\r\nthey are looking forward to their return, while others started searching for other options.\r\nSource: WWH Club\r\nOn June 2, 2022, the actors behind Raccoon Stealer claimed they developed version 2.0 of their malware. On June\r\n30, 2022, threat actors behind the Raccoon Stealer officially released its 2.0 version.\r\nMars Stealer\r\nAlthough threat actors may be loyal to their providers, the business must go on. KELA observed the MarsTeam –\r\ndevelopers of the Mars stealer – claiming on the XSS forum that many Raccoon users switched to\r\nthe Mars stealer, even prior to Raccoon suspending their operations. The Mars stealer, first advertised on June 21,\r\n2021, is being offered for USD140 per month or USD800 as a lifetime subscription.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 5 of 16\n\nAuto-translated from Russian. Source: XSS\r\nBased on the above screenshot, the Mars stealer seemed to be a promising stealer to replace Raccoon, however, at\r\nthe beginning of April 2022, KELA observed several complaints from users on XSS who stated that the Mars\r\noperators were not responsive. On April 16, threat actor JohnCrystall opened a dispute, claiming that, upon\r\nmaking a purchase, MarsTeam failed to provide the requested tools. Upon these allegations, on April 17, the\r\nforum’s administrator banned the MarsTeam account and marked them as “scammers”.\r\nAs of now, there is no recent activity from MarsTeam, and some users suggested that the operations may have\r\nbeen affected by the invasion in Ukraine, however, the reason remains unclear.\r\nTranslation from Russian: The “scam” status is set. If the defendant appears and settles the claim, we will\r\nconsider the possibility of removing the status. This is not the first complaint, people have already written to me,\r\ncomplained. Source: XSS\r\nVidar Stealer\r\nVidar was first introduced in November 2018 and remains one of the most popular and used information stealers.\r\nThe operators maintain a support Telegram channel @Vidar_supwwh where they sell the software for USD1500\r\nand offer additional installation services. KELA also identified Vidar in recent bots on RussianMarket and\r\nTwoEasy.\r\nOn April 25, 2022, KELA observed several actors on the Exploit forum complaining about the stealer’s\r\ncapabilities.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 6 of 16\n\nMoreover, on April 26 and 27, 2022, users stated that the Vidar Telegram support team is not responsive. This\r\nseems to be a pattern in some of the commodity stealers services and it is yet to be determined if Vidar stealer will\r\ncontinue to be a primary choice for threat actors.\r\nSource: Exploit\r\nBlackGuard Stealer\r\nAs cybercriminals are constantly testing the capabilities of such malicious tools, they do not shy away from\r\ndemanding more quality and improvements. One example in this regard is the BlackGuard stealer, launched in\r\nearly 2021. KELA came across several recent discussions in which users were complaining about BlackGuard not\r\nbeing able to properly avoid detection. As in any business, the operators promised to provide an updated version\r\nin no time.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 7 of 16\n\nTranslation from Russian: Guys, the cleaning is almost finished in the coming days, most likely after the weekend I\r\nwill write to everyone and start issuing the already cleaned builds. (…) Added more reliable obfuscation of the\r\nmain link to the panel and the link that is responsible for transferring information to the panel, both are\r\nobfuscated with different keys. Source: XSS\r\nPrivate Stealers\r\nThe previous chapter showed that some of the well-known commodity stealer operators, although present in the\r\ncybercrime ecosystem for a long time, may encounter difficulties in the way they conduct business, which leaves\r\ntheir customers unsatisfied. As the threat landscape is constantly changing, other threat actors may find new\r\nfinancial opportunities in developing “private stealers”, either by using the source code of commodity stealers or\r\nby creating brand-new ones. KELA has observed several such stealers being advertised on cybercrime forums and\r\nresearchers also confirmed them being actively exploited in the wild.\r\nOn March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new\r\ninformation-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor\r\nclaimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements:\r\n1) Removed unnecessary functionality from the panel\r\n2) Added setting for collecting extensions from the browser\r\n3) Added the Reset default settings button, which allows you to return the default settings of the panel if you\r\nsuddenly need it\r\n4) Cleaned stub\r\n5) Changed the color scheme of the panel\r\n6) Removed AntiCNG\r\n7) Added the ability to view the private key for the generator (needed for auto-build in your bots for the team), to\r\nview it, you must re-enter the password from the panel (2FA, not to steal the key)\r\n8) The weight of the build is reduced to 88KB, thanks to the new stub\r\n9) Cleaned build runtime\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 8 of 16\n\nUser _META_ announcing the META stealer\r\nKELA also identified the stealer in several bots sold on the TwoEasy botnet marketplace and can confirm its\r\nsimilarities with Redline based on the folder’s structure. As of now, there are around 1200 bots containing the\r\nMETA strain available for sale on the TwoEasy market.\r\nBot sample infected with Meta stealer malware. Source: KELA\r\nResearchers confirmed that several samples of a specific Excel file containing the Meta stealer have been\r\nsubmitted to VirusTotal. Based on the findings, the malicious files are distributed via phishing emails.\r\nArkei Stealer\r\nIn February 2022, researchers observed new variants of the Arkei malware – an information stealer focused on\r\ncollecting, among others, 2FA or MFA data from its victims. Arkei has also been previously seen in the wild and\r\nadvertised on cybercrime forums, and it now has improved its malware capabilities. The malware only targets\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 9 of 16\n\nWindows-operating machines and their initial attack vector may vary, however it has been recently seen deployed\r\nfrom phishing websites offering malicious software masquerading as legitimate applications and programs.\r\nArkei was observed being deployed by SmokeLoader aka Dofoil – a malware downloader initially observed in\r\n2011 and used to deliver other malware via email attachments in phishing campaigns. Later, the malware was seen\r\ndelivering information stealers including Raccoon and RedLine. Since the beginning of 2022, KELA has observed\r\nseveral actors on cybercrime forums interested in purchasing SmokeLoader.\r\nThreat actor willing to purchase SmokeLoader.\r\nGinzo Stealer\r\nThe Ginzo Stealer (also referred to as ZingoStealer) was announced on March 4, 2022, by the Russian-speaking\r\nthreat actor “HaskersGang” on their Telegram channel. The malware can exfiltrate credentials, steal\r\ncryptocurrency wallet information, and perform crypto mining. According to researchers, the ZingoStealer is\r\ncurrently being distributed under the guise of game cheats, cracks, and code generators. In several\r\ncases, ZingoStealer also delivers additional malware such as the RedLine Stealer. On April 13, 2022,\r\nHaskersGang announced on their Telegram channel that an updated version of the bot has been released and that\r\nthey are transferring the ownership to user CryptoGinzo, as the previous “owner” – part of the HaskersGang – is\r\nno longer involved in the operation.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 10 of 16\n\nTranslation from Russian: We are pleased to present to you our free product that can freely compete with other\r\nprojects – @ginzostealer_bot (…). Source: Telegram\r\nTranslation from Russian: Attention! We have updated our bot! You need to enter /start again to update the bot. A\r\nlittle about recent events: the stealer is now owned by @CryptoGinzo, the previous owner is no longer involved in\r\nthe stealer. At the moment, the project is in good hands, I declare this with confidence – Keepye. Source:\r\nTelegram.\r\nEternity Stealer\r\nEternity Stealer was announced by EternityTeam on the XSS forum on March 26, 2022. The stealer is able to\r\ngather passwords, cookies, tokens, history, bookmarks, credit card and crypto-wallet information from the infected\r\nmachines. It works on a variety of browsers, password managers, VPN and FTP clients, email clients and\r\nmessengers, and gaming software.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 11 of 16\n\nUsers can create and customize the stealer through a web builder with options such as preventing second start\r\nfrom one computer (AntiRepeat), enabling AntiVM, self-destruction upon execution, preventing execution in CIS\r\ncountries, as well as selection the preferred output file execution. The builder price is USD300 for a lifetime\r\nsubscription and USD320 with crypt included.\r\n7.62mm Private Stealer\r\nOn April 25, 2022, KELA observed threat actor Shamel advertising a new private stealer – 7.62mm – on the XSS\r\nforum. The actor stated that they will sell only two copies to prevent mass usage and wide antivirus detection.\r\nBased on the post, the 7.62mm stealer is, as of date, undetectable, and can target crypto wallets such as Ethereum,\r\nExodus, Bitcoin Core, Armory, wallet browser extensions including Binance, Coinbase, Phantom, browsers such\r\nas Chrome, Mozilla, Opera, Edge, Waterfox, as well as sessions of client applications including Telegram, Steam,\r\nMinecraft, FileZilla.\r\nThe stealer is sold in two formats – DLL or EXE and the actor also provides a search engine for the “logs”\r\nobtained. The price for unlimited use is USD500.\r\nThreat actor Shamel advertising the 7.62mm private stealer. Source: XSS\r\nInno Stealer\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 12 of 16\n\nOn April 18, 2022, researchers revealed that cybercriminals are using a malicious website offering fake Windows\r\n11 upgrades. Users are lured into downloading an ISO file that contains the executable for the new Inno\r\ninformation-stealing malware. The stealer’s capabilities include collecting web browser cookies and stored\r\ncredentials, data in cryptocurrency wallets, and data from the filesystem. Researchers stated that although this is\r\nthe typical activity for stealers, Inno does not have any code similarities to other known information-stealers. This\r\nis an advantage of such private stealers that allows for a limited number of users to deploy the malware and\r\nreduces the chances of detection.\r\nInfo-stealers’ “affiliate programs”\r\nTo ensure good business development and to facilitate the use of their products, information-stealer operators\r\nstarted to offer additional tools and services. KELA also observed threat actors looking for users to help test their\r\nproducts prior to their release, to speed up the developing process.\r\nParticularly interesting are info-stealers’ “affiliate programs”: KELA observed various groups advertising new so-called “traffer kits/sets” – an operational structure where interested users (“traffers” – related to the word traffic,\r\npotentially referring to actors who have the means to infect multiple targets) are provided with the necessary tools\r\nincluding the information stealer build, channels to exfiltrate the data, software to exploit the obtained logs, and\r\ntechnical support, in exchange for various deals. For instance, some would require affiliates to pay a fee in\r\nexchange for access to the kit and full ownership of the obtained logs, while others would request a percentage of\r\nthe logs.\r\nTigersTeam\r\nOn April 1, 2022, TigersTeam introduced its information-stealer services: “The best stealer on the market –\r\nRedLine; free promotion for active “traffers”; automatic issuance of crypto build; echo channel (logs coming in);\r\nexcellent and helpful colleagues; all logs are yours! We work out only the crypt – 80% to you!”\r\nOn April 14, upon being banned from the BHF forum, the TigersTeam offered to sell their team of “traffers” for\r\nUSD300. The deal would include all related channels, RedLine stealer + “dedik” (dedicated server), the bot script,\r\nand over 200 people in the team.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 13 of 16\n\nSource: BHF\r\nAurora Project\r\nOn April 18, 2022, KELA observed actor cheshire666 on the WWH Club forum who introduced themselves as a\r\ncoder for the “Aurora project” looking for 3-5 people to beta test their product before the final release. The actor\r\npromised that those who will take an active part in finding bugs or improving the project will be awarded a free\r\nsubscription for a month.\r\nThe product would consist of:\r\n1) Builder (with the possibility of polymorphic compilation and compression)\r\n2) Stealer\r\n3) Clipper BTC, ETH, LTC\r\n4) The botnet is located on a shared dedicated server and has spare servers for migration\r\n5) If the server is unavailable, the bots will automatically start searching for a new server\r\n6) 2FA via Telegram\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 14 of 16\n\nActor cheshire666 looking for testers for the “Aurora project”. Source WWH Club\r\nScreenshot of the product provided by cheshire666. Source: WHH Club\r\nOther similar new “affiliate programs” identified by KELA are the Trix Team and Amethyst Family. They provide\r\naccess to stealers (Meta and RedLine, respectively) and related tools, auto-issuance of logs, manuals, mentorship,\r\nand bonuses.\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 15 of 16\n\nTrix Team announcement. Source: Lolz.guru market\r\nAmethyst Family announcement. Source: Lolz.guru market\r\nSource: https://ke-la.com/information-stealers-a-new-landscape/\r\nhttps://ke-la.com/information-stealers-a-new-landscape/\r\nPage 16 of 16\n\ndevelopers of the Mars stealer, the Mars stealer even prior – claiming to Raccoon suspending on the XSS forum their operations. that many Raccoon The Mars users switched to stealer, first advertised on June 21,\n2021, is being offered for USD140 per month or USD800 as a lifetime subscription.\n   Page 5 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ke-la.com/information-stealers-a-new-landscape/"
	],
	"report_names": [
		"information-stealers-a-new-landscape"
	],
	"threat_actors": [],
	"ts_created_at": 1775434094,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c77421a20a8ec92cd902b93118c96ef4f7b58f45.pdf",
		"text": "https://archive.orkl.eu/c77421a20a8ec92cd902b93118c96ef4f7b58f45.txt",
		"img": "https://archive.orkl.eu/c77421a20a8ec92cd902b93118c96ef4f7b58f45.jpg"
	}
}