{
	"id": "e8ae0007-d8a2-479d-8118-3a144a5900fb",
	"created_at": "2026-04-06T00:15:25.354589Z",
	"updated_at": "2026-04-10T03:20:29.501963Z",
	"deleted_at": null,
	"sha1_hash": "e88a28dff228d22f9f38e7e4821124d0d4c886c0",
	"title": "Advice For Catching a RedLine Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1532865,
	"plain_text": "Advice For Catching a RedLine Stealer\r\nBy John F\r\nPublished: 2023-10-23 · Archived: 2026-04-05 15:25:38 UTC\r\nRedLine Stealer is an infamous malware strain that provides cyber-criminals with a reliable payload for stealing\r\nsensitive information from an infected computer. Both MalwareBazaar statistics and ANY.RUN trends\r\nconsistently track RedLine as the most common payload on their platforms. Redline Stealer is classified by\r\nmalware taxonomy as an “information stealer” (infostealer). Like many infostealers, RedLine is leveraged by\r\ncyber-criminals for reconnaissance and initial access. The information that RedLine steals includes:\r\nbrowser autofill details (login credentials, payment card information, contact information, etc.)\r\nsession cookies\r\ncryptocurrency keys\r\ncertain files (dependent on configuration)\r\nand system details of the infected computer\r\nRedLine Stealer is maintained by professional malware developers who sell access to the infostealer on Malware-as-a-Service (MaaS) markets. The purchasing ‘clients’ specialize in infecting victims with RedLine and profiting\r\nfrom that stolen information. RedLine has grown in popularity among cyber-criminals — becoming responsible\r\nfor a large number of account compromises and resulting damages. A well-known account compromise, attributed\r\nto a RedLine Stealer infection, was the 2023 “hack” of Linus Tech Tips — a technology communications YouTube\r\nchannel with 15+ Million subscribers. In the modern (October 2023) threat landscape, many network defenders\r\nconsider RedLine Stealer infamous due to the malware’s prevalence and stealing capabilities.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 1 of 9\n\nTable of Contents\r\n1. War Story\r\n2. Data Exfiltration Protocol\r\n3. Command-and-Control Meta-Analysis\r\n4. Catching the RedLine\r\n5. Footnotes\r\n6. Links\r\nWar Story — Late Night Data Exfil… over cleartext?\r\nIt was around 11 p.m. and I felt worn-out as I was nearing the end of my night shift. After I finished\r\naddressing a few minor alerts, I figured I’d reward myself by running a brief series of threat hunting\r\nqueries for malware (yes, this is what SOC analysts do for fun). Sifting through the results of\r\ncommunications to suspicious servers, I noticed that one of the connections had an interesting pattern…\r\nthe timings and amounts of data¹ almost looked like some amount of data exfiltration to this already\r\nuntrustworthy IP address.\r\nLess-groggy (and admittedly excited about a potential incident), I downloaded a full PCAP of the\r\nconnection and ran some searches on the external IP address. Viewing the TCP stream in Wireshark, I\r\nwas thrilled to see that the protocol was in cleartext. “Oh wicked!” I initially thought as I could now\r\neasily read the network traffic with my own eyes. “Wait... are those file locations… and usernames…\r\nand oh $#|7 it’s got passwords too!”\r\nI immediately alerted the client and we began taking steps toward remediation (scrambling accounts,\r\nisolating the host, blocking the C2’s IP, etc). We were able to prioritize accounts to be locked-down, as\r\nthe cleartext in the PCAP conveniently acted as a log of compromised credentials. My threat hunting\r\nand searches for suspicious servers that night was essential for detecting the initial stages of this attack\r\nso that we could respond long before it became a larger incident.\r\nAs part of our follow-up investigation, I checked the reputation of the IP to see what community threat\r\nintelligence said: RedLine. “Wait. As in that infamous RedLine Stealer?” I thought. “Sure, this is\r\ndefinitely some infostealer — but RedLine has got to be more advanced than some cleartext data\r\nexfil... right?”\r\nData Exfiltration Protocol\r\nDuring its detonation, a RedLine Stealer payload will initiate communications with a hard-coded C2 (command-and-control) server. RedLine’s C2 channels leverage direct TCP sockets² and communicate over a custom cleartext\r\nprotocol. After a payload authenticates with its C2 and receives an updated configuration (if applicable) it will\r\ngather sensitive data from the infected computer and exfiltrate the stolen information to its C2. The custom C2\r\nprotocol RedLine implements has every individual communication follow a strict format of:\r\n1. initiating the connection\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 2 of 9\n\n2. stating the call’s classification\r\n3. providing a 32-character authorization key\r\n4. and sending information\r\nAll communications over RedLine’s protocol originate with a ‘call’ from the infected computer, which is followed\r\nby a corresponding ‘response’ from the C2 server. The protocol classifies these call-and-response pairs with\r\nspecific ‘Id numbers’ that range from “Id1” to Id24”. Most of the Id numbers classify the sending of data —\r\nthough some are used to request information from the C2 server (and a few… well I confess, I have not been able\r\nto confirm what they are used for — that’s a point of future research).\r\n“Id6” classifies stolen information regarding installed anti-virus/EDR (referred to as “defenders” by\r\nRedLine)\r\nThe string “http://tempuri.org/” appears just prior to an entity’s classification. tempuri.org is not an IOC but is\r\nactually a leftover artifact of improperly implemented ASP.Net web services. We can leverage a combination of\r\nsuch leftover strings — along with control characters, Id classifications, and the format of stolen data — to write\r\nSnort/Suricata signatures that will detect RedLine Stealer data exfiltration.\r\nFormatted Suricata rules in Footnote #3 and at TLP-CLEAR_RedLine-data-exfil-protocol.rules on\r\nGitHub.\r\nCommand-and-Control Meta-Analysis\r\nData for meta-analysis of C2 infrastructure sourced from:\r\n - abuse.ch’s threat intelligence community platform ThreatFox\r\n - C2 servers uncovered by SarlackLab automation\r\nDomain Name Infrastructure:\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 3 of 9\n\nMany of the RedLine Stealer payloads I’ve investigated leverage DNS resolution of hard-coded domain names in\r\norder to identify and connect to their C2 servers. Approximately 2/3rds of the domain names are registered under\r\nthe top-level domains *.xyz and *.top. There are no significant patterns of the RedLine Stealer second-level\r\ndomains under .xyz and .top. The subdomains are mainly just high-entropy domain names (pseudo-random\r\ncharacters or words meshed together in a non-nonsensical manner). Similar to the C2 patterns of many commodity\r\nRATs, the cyber-criminals who deploy RedLine Stealer also leverage Dynamic DNS (DDNS) services⁴ such as\r\n*.duckdns[.]org and *.ddns[.]org (see NanoCore Hunting Guide).\r\nPress enter or click to view image in full size\r\nDomain forest showing patterns among RedLine Stealer C2 domains.\r\nThe second-level domains makelogs[.]org and tuktuk[.]ug appear to be part of\r\nsome temporary campaign and/or leveraged hosting infrastructure. As noted in a\r\nTweet from September 6th, a threat actor had been registering similar\r\nsubdomains under tuktuk[.]ug every day in early September. You can investigate\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 4 of 9\n\nmany curious patterns among C2 infrastructure by checking-out the maps in\r\nSarlackLab's logs.\r\nIP Address Hosting:\r\nBased on the payloads I’ve investigated, however, approximately 4/5ths of RedLine payloads do not leverage\r\nDNS to connect to their C2 server. Instead of querying their C2’s domain, the majority of payloads just have hard-coded IP addresses⁴ which they connected to directly. Many of the IP addresses used by RedLine C2 servers are\r\nhosted on a variety of amorphous bulletproof hosting providers and/or compromised infrastructure. Patterns\r\namong the hosting infrastructure and ASN ranges for these IPs are rather sparse. Overall, the leveraged IPv4\r\ninfrastructure appears relatively similar to other commodity malware⁵.\r\nPress enter or click to view image in full size\r\nThe majority of RedLine Stealer payloads have the IP address of their C2 server hard-coded. The IP\r\nitself is stored inside Base64 encoding after being XORed with a hard-coded key.\r\nCatching the RedLine\r\nCybercriminals commonly leverage infostealers for reconnaissance and initial access stages of their attacks —\r\ncollecting target information and stealing authentication secrets. RedLine Stealer, in particular, is a prevalent\r\nthreat in the year 2023. I was able to stop the attack that night in its initial stages because I caught RedLine’s data\r\nexfiltration and could initiate timely incident response⁶.\r\nGet John F’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 5 of 9\n\nProtect: DNS sinkholes can be leveraged to redirect domain name resolution to a benign server (see previous\r\npost). I recommend sinkholing subdomains of *.xyz, *.top, *.duckdns.org, *.ddns.net, and related meta-IOCs\r\n(assuming connections to those domains are not required in your environment). Sinkholing DNS requests for\r\ncommonly abused domain infrastructure will proactively block connection attempts to many C2 servers of\r\nRedLine Stealer and related commodity malware (as well as some intrusive advertisements). Lists of specific IP\r\naddresses, such as the CSV data dumps on ThreatFox, can also be implemented to detect and block RedLine C2\r\nconnections. IP lists are of course limited as they require prior knowledge and constant updating. Additionally,\r\ninfostealer C2 servers are often short-lived. Most RedLine IP addresses are only active for a day-or-two after\r\npublic discovery by malware researchers.\r\nC2 Hotspots\r\nI spend much of my research focused on tracking patterns among the hosting\r\ninfrastructure of C2 servers. The SarlackLab server posts daily updates of\r\npatterns to Twitter and my website. I will be writing a future blog post on\r\nthese patterns (which I refer to as \"C2 hotspots\") - but in the meantime, you\r\ncan find some of the tooling in my IOC-Cartographer project on GitHub.\r\nDetect: It is important to layer defenses with detection capabilities so that response can be initiated when an\r\nattack bypasses existing protections. In addition to network protections, domain name patterns and IP lists can also\r\nbe leveraged by network metadata and SIEM solutions to alert on potential RedLine communications to known\r\nservers. Network signatures can directly detected RedLine’s C2 communications by exploiting patterns in the\r\ninfostealer’s custom protocol. I have written several Suricata signatures to detect RedLine Stealer and I am\r\nsharing a few TLP:CLEAR signatures regarding data exfiltration for on GitHub.\r\nDue to the fact that RedLine Stealer is actively maintained and updated by MaaS cybercrime developers, I did\r\nskimp on certain details and defensive techniques in this blog post. Please message me on Twitter, if you have\r\nfurther questions on RedLine or would like access to some TLP:AMBER signatures. In the meantime, I hope the\r\nabove advice helps you catch RedLine and related infostealers that threaten your environment… or at least that\r\nyou have more luck than me and that Red Line train I just missed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 6 of 9\n\nSorry. As a Bostonian, I needed to include some reference to our local subway. And yes, I did miss\r\nthe pictured Red Line train while writing part of this blog’s conclusion.\r\nFootnotes\r\n[1] Security researchers and data scientists at Vectra AI classify such patterns among network metadata as C2\r\nbeaconing. Essentially, an apparent client and server have a role reversal where the “client” on an infected host\r\nbegins behaving like a server — receiving requests from the C2 and returning data.\r\n[2] I have heard rumors of RedLine proxying and encrypting its communications via Telegram bots — however\r\nnone of the malware samples nor sandbox reports I investigated uncovered any such capabilities. I suspect that\r\nthere may be some confusion with other information stealers or perhaps Redline’s Telegram marketplace.\r\nRegardless, there are many command-and-control channels which do leverage Telegram (see LOTS Project) and I\r\nrecommend closely investigating all apparent beacon communications with subdomains of telegram[.]org.\r\n[3] TLP:CLEAR Suricata signatures matching RedLine Stealer’s protocol for data exfiltration\r\nalert tcp any any -\u003e any any (msg:\"Id7.languages\"; flags:PA; content:\"|06|\"; startswith; content:\"|01\r\nalert tcp any any -\u003e any any (msg:\"Id9.processes\"; flags:PA; content:\"|06|\"; startswith; content:\"|1d\r\nalert tcp any any -\u003e any any (msg:\"Id13.installedBrowsers\"; flags:PA; content:\"|06|\"; startswith; con\r\n[4] Cybercriminals deploying RATs will commonly leverage domain names and Dynamic DNS services at a much\r\nhigher rate than those deploying infostealers. The infection of a Remote Access Trojan is expected to last longer\r\nthan an infostealer due to the goals of the attack (ie exploiting remote access of a victim’s computer V.S. quickly\r\nstealing specific information). My hypothesis is that RAT maintainers commonly leverage DDNS services in an\r\nattempt to make their C2 infrastructure resistant to take-downs — as the domain names can be rapidly shifted to\r\nnew servers. In contrast, those who deploy infostealers are less-concerned with long lasting C2s and therefore will\r\nuse normal DNS services or simply direct IP addresses. The idea is interesting to note for those of us who hunt C2\r\nservers and is a point of future research.\r\n[5] IPv4 comparison\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 7 of 9\n\nPress enter or click to view image in full size\r\nIPv4 heatmaps comparing the similarity of RedLine Stealer C2 servers to ALL C2 servers tracked\r\nby SarlackLab.\r\n[6] Thankfully, the IR and remediation efforts were not severe. I’d almost hesitate to call it an “incident” as there\r\nwas no lost sleep and no systems encrypted — but technically it counts… I wish that all the IR engagements I got\r\ncalled for were as limited in destruction as this had been (though I imagine the attack would have progressed into\r\nsomething worse had it not been stopped).\r\nLinks\r\nRedLine Stealer IOCs:\r\nThreatFox — https://threatfox.abuse.ch/browse/malware/win.redline_stealer/\r\nSarlackLab — https://github.com/Abjuri5t/SarlackLab/blob/main/IOCs.csv\r\n(and of course *.xyz, *.top, *.duckdns.org, and *.ddns.net as well as other meta-IOCs)\r\nSee Also\r\nFirst public research on RedLine Stealer (early 2020) — https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign\r\nHow RedLine compromises web browser storage vault — https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html\r\nRedLine Stealer MaaS documentation — https://socradar.io/what-is-redline-stealer-and-what-can-you-do-about-it/\r\nReferences\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 8 of 9\n\nMalware prevalence trends — https://bazaar.abuse.ch/statistics/, https://any.run/malware-trends/,\r\nhttps://any.run/malware-trends/redline\r\n2023 hack of Linus Tech Tips YouTube channel — https://www.youtube.com/watch?v=yGXaAWbzl5A,\r\nhttps://www.youtube.com/watch?v=nYdS3FIu3rI\r\ntempuri.org documentation — https://web.archive.org/web/20110925225801/http://tempuri.org/\r\nNanoCore RAT research and DNS sinkholing — https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0#35dd\r\nVectra AI documentation of C2 beacons — https://www.vectra.ai/about/ai-security/using-ai-to-detect-c2-\r\nchannels\r\nLiving Off Trusted Sites documentation of api[.]telegram[.]org abuse — https://lots-project.com/site/6170692e74656c656772616d2e6f7267\r\nSource: https://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nhttps://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@the_abjuri5t/advice-for-catching-a-redline-stealer-dca126867193"
	],
	"report_names": [
		"advice-for-catching-a-redline-stealer-dca126867193"
	],
	"threat_actors": [],
	"ts_created_at": 1775434525,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e88a28dff228d22f9f38e7e4821124d0d4c886c0.pdf",
		"text": "https://archive.orkl.eu/e88a28dff228d22f9f38e7e4821124d0d4c886c0.txt",
		"img": "https://archive.orkl.eu/e88a28dff228d22f9f38e7e4821124d0d4c886c0.jpg"
	}
}