{
	"id": "cd931cdf-a8f7-4fa7-87b1-88a01aed26e6",
	"created_at": "2026-04-06T00:10:04.138805Z",
	"updated_at": "2026-04-10T03:20:36.468683Z",
	"deleted_at": null,
	"sha1_hash": "f0d68bbcd943a1473520b5ce831189cd68c2a5d3",
	"title": "Distribution of Redline Stealer Disguised as Software Crack - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1507745,
	"plain_text": "Distribution of Redline Stealer Disguised as Software Crack -\r\nASEC\r\nBy ATCP\r\nPublished: 2022-12-28 · Archived: 2026-04-05 13:14:03 UTC\r\nIn the previous blog post, the AhnLab ASEC analysis team has mentioned malware that is searched through\r\nkeywords such as cracks and serials of commercial software, urging users to take caution.\r\nWhile investigating a recent breach case of the internal network of a certain company, the team has discovered\r\nthat the company was infected with Redline Stealer disguised as a crack for commercial software and had its VPN\r\nwebsite and account credentials leaked.\r\nThe company where the damage occurred provided VPN service to employees who were working from home to\r\ngive access to the company’s internal network, and the employees connected to the VPN on the provided laptops\r\nor their PCs. The targeted employee used the password management feature provided by the web browser to save\r\nand use the account and password for the VPN website on the web browser. While doing so, the PC was infected\r\nwith malware targeting account credentials, leaking accounts and passwords of various websites, which also\r\nincluded the VPN account of the company.\r\nThe system that had the account credentials leaked is the employee’s PC, which is also used by the employee’s\r\nfamily members for other purposes. One of the family members searched for SoundShifter, a pitch-shifting\r\nhttps://asec.ahnlab.com/en/30445/\r\nPage 1 of 7\n\nprogram from Waves, with the keywords free and crack. The user then downloaded waves_60e87ffe7200b.zip file,\r\nwhich had a malicious file included, then executed the malicious and system was infected.\r\nFigure 1. Infection process of malicious file\r\nThe team has discovered the search history of the keywords waves soundshifter free and waves soundshifter crack\r\nfrom the web browser history.\r\nFigure 2. Traces of searching illegal software in web browser\r\nSearching the keywords on Google shows various download websites on the search results.\r\nhttps://asec.ahnlab.com/en/30445/\r\nPage 2 of 7\n\nFigure 3. Google search results for waves soundshifter crack\r\nIt seems that the user visited multiple pages shown on the search result.\r\nFigure 4. Browsing history of websites shown on Google search results\r\nThere was also a trace of file download. As the process for visiting the download page was not confirmed, it\r\nappears that the user manually accessed the malicious page shown on the search results. However, current search\r\nresult does not show whether it is possible to do so.\r\nFigure 5. Trace of downloading illegal software\r\nhttps://asec.ahnlab.com/en/30445/\r\nPage 3 of 7\n\nThe downloaded file is a compressed file that contains an encrypted compressed file and a TXT file that has the\r\npassword for decompression. Such a method is used by attackers to bypass anti-malware detection that is run\r\nwhen the file is downloaded.\r\nFigure 6. Internal structure of downloaded compressed file (waves_60e87ffe7200b.zip)\r\nAs the user downloaded the file to install the software, the user would have read and followed the description\r\nwritten on TXT file, decompressing the encrypted file and executing the malicious file disguised as an installer.\r\nThe decompressed installer has multiple malicious files inside. When it is installed, malicious files such as\r\nDanabot, Redline Stealer, and Vidar are created in the system. Analyzing the malicious files found in the system\r\nand related artifacts such as file path and file name showed that there were other nearly identical files distributed\r\nduring a similar period.\r\nSuch cases also had malicious files disguised as installers of illegal software such as cracks or keygens that were\r\ndistributed by being uploaded on file-sharing websites. Among similar malicious files we found, the analysis\r\nresult and many behaviors (folder path of a malicious file created in the personal PC, folder name, naming rules of\r\na malicious file, file creation order, etc.) of the malicious file distributed in the Keygen sharing website\r\n(topkeygen.com) on June 2021 match those of the file discussed in this post.\r\nThe following figure shows a similarity of the location that the file is created.\r\nhttps://asec.ahnlab.com/en/30445/\r\nPage 4 of 7\n\nFigure 7. Similarity in file created location between malicious file in breached personal PC and malicious file\r\ndistributed in topkeygen\r\nAfter the malicious file was executed, the breached personal PC had traces of suspicious files being run such as\r\ncio.exe.com, orrore.exe.com, and certe.exe.com. But they could not be secured as they were deleted after being\r\nrun. Considering that the traces discovered in the system are similar to those of the system infected with Redline\r\nStealer type, it seems that the malicious files all fall into the same category.\r\nTraces of possible Redline Stealer infection confirmed in the system\r\nUsing findstr.exe\r\nUsing 7Zip SFX compressed file (path: %Temp%\\7ZipSfx.000\\)\r\nName of malicious file (cio.exe.com)\r\nUsing double file extensions (.exe.com)\r\nScanning and collecting web browser credentials (Chrome, Login Data of Edge browser, Cookies, and Web\r\nData)\r\nAs for scanning web browser credentials, Microsoft Windows Defender’s log file MPLog detected a trace of the\r\nLogin Data file recorded with account names and password of the web browser being scanned by Orrore.exe.com\r\non July 10th.\r\nFigure 8. Trace of Orrore.exe.com accessing Login Data (MPLog-20210710-015710.log)\r\nhttps://asec.ahnlab.com/en/30445/\r\nPage 5 of 7\n\nThe account credentials saved on the website were leaked by Redline Stealer, and the list of accounts that were\r\nleaked includes the VPN website of the company and account \u0026 password credentials.\r\nFigure 9. VPN website and account and password credentials saved in Login Data\r\nThe leaked account was used to breach the internal network of the company several months later.\r\nFQDN\r\ncerte[.]exe[.]com\r\ncio[.]exe[.]com\r\norrore[.]exe[.]com\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/30445/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/30445/\r\nhttps://asec.ahnlab.com/en/30445/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/30445/"
	],
	"report_names": [
		"30445"
	],
	"threat_actors": [],
	"ts_created_at": 1775434204,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0d68bbcd943a1473520b5ce831189cd68c2a5d3.pdf",
		"text": "https://archive.orkl.eu/f0d68bbcd943a1473520b5ce831189cd68c2a5d3.txt",
		"img": "https://archive.orkl.eu/f0d68bbcd943a1473520b5ce831189cd68c2a5d3.jpg"
	}
}