S1240 RedLine Stealer
RedLine Stealer is an information-stealer malware variant first identified in 2020.134 RedLine Stealer is a Malware as a Service (MaaS) and was reportedly sold as either a one-time purchase or a monthly subscription service.15 Information obtained from RedLine Stealer has been known to be sold on the deep and dark web to Initial Access Brokers (IABs), who use or resell the stolen credentials for further intrusions.25
| Item | Value |
|---|---|
| ID | S1240 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 September 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | RedLine Stealer has collected account information from the victim’s machine.34 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | RedLine Stealer has utilized HTTP for C2 communications.6 RedLine Stealer has also conducted C2 communications to hardcoded C2 servers over HTTPS.14 RedLine Stealer has leveraged SOAP protocol for C2 communications.3 |
| enterprise | T1217 | Browser Information Discovery | RedLine Stealer can collect information from browsers and browser extensions.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | RedLine Stealer has executed windows cmd using ErrorHandler.cmd to create scheduled tasks.6 |
| enterprise | T1059.011 | Lua | RedLine Stealer malware has leveraged Lua bytecode to perform malicious behavior.6 |
| enterprise | T1555 | Credentials from Password Stores | RedLine Stealer has obtained credentials from VPN services, FTP clients and Instant Messenger (IM)/Chat clients.234 |
| enterprise | T1555.003 | Credentials from Web Browsers | RedLine Stealer was designed to steal sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data.1 RedLine Stealer can also gather credentials from several browsers.234 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | RedLine Stealer has used Base64 to encode command and control traffic.6 |
| enterprise | T1005 | Data from Local System | RedLine Stealer has collected data stored locally including chat logs and files associated with chat services such as Steam, Discord, and Telegram.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | RedLine Stealer has decoded its payload prior to execution.4 |
| enterprise | T1480 | Execution Guardrails | RedLine Stealer has built in settings to not operate based on geolocation or country of the victim host.13 |
| enterprise | T1041 | Exfiltration Over C2 Channel | RedLine Stealer has sent victim data to its C2 server or RedLine panel server.3 |
| enterprise | T1657 | Financial Theft | RedLine Stealer has collected data from cryptocurrency wallets and harvested credit cards details from browsers.12345 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | RedLine Stealer can disable security software and update services.4 |
| enterprise | T1105 | Ingress Tool Transfer | RedLine Stealer has the ability download additional payloads.25 |
| enterprise | T1036 | Masquerading | RedLine Stealer malware has masqueraded as legitimate software such as “PDF Converter Software” which has been distributed through poisoned search engine results often resembling legitimate software lures with the combination of typo squatted domains.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | RedLine Stealer has used obfuscation tools such as DNGuard and Boxed App to pack their code.1 |
| enterprise | T1027.010 | Command Obfuscation | RedLine Stealer has obfuscated scripts within text files used in execution.6 |
| enterprise | T1027.013 | Encrypted/Encoded File | RedLine Stealer has encrypted and encoded configuration data with Base64 and XOR functions.4 |
| enterprise | T1012 | Query Registry | RedLine Stealer can query the Windows Registry.6 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | RedLine Stealer has achieved persistence via scheduled tasks.6 |
| enterprise | T1113 | Screen Capture | RedLine Stealer can capture screenshots on a compromised host.64 |
| enterprise | T1518 | Software Discovery | RedLine Stealer can get a list of programs on the victim device.4 |
| enterprise | T1518.001 | Security Software Discovery | RedLine Stealer has identified installed antivirus software on the system.25 |
| enterprise | T1539 | Steal Web Session Cookie | RedLine Stealer has stolen browser cookies and settings.1234 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | RedLine Stealer has used both valid certificates and self-signed digital certificates to appear legitimate.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | RedLine Stealer has been installed via MSI Installer.6 |
| enterprise | T1082 | System Information Discovery | RedLine Stealer can collect information about the local system.2345 |
| enterprise | T1614 | System Location Discovery | RedLine Stealer has gathered detailed information about victims’ systems, such as IP addresses, and geolocation.123 RedLine Stealer has also checked the IP from where it was being executed and leveraged an opensource geolocation IP-lookup service. 6 |
| enterprise | T1614.001 | System Language Discovery | RedLine Stealer can retrieve system default language and time zone.4 |
| enterprise | T1016 | System Network Configuration Discovery | RedLine Stealer can enumeate information about victims’ systems including IP addresses.2 |
| enterprise | T1033 | System Owner/User Discovery | RedLine Stealer has obtained the username from the victim’s machine.345 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | RedLine Stealer malware has been executed through the download of malicious files.125 RedLine Stealer has also lured users to install malware with an Install Wizard interface.6 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | RedLine Stealer has an anti-sandbox technique that requires the malware to consistently check with the C2 server, if the communication fails RedLine Stealer will not continue execution.4 |
| enterprise | T1102 | Web Service | RedLine Stealer has leveraged legitimate file sharing web services to host malicious payloads.34 |
References
-
Alexandre Cote Cyr. (2024, November 8). Life on a crooked RedLine: Analyzing the infamous infostealer’s backend. Retrieved September 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩
-
George Glass. (2024, August 14). REDLINESTEALER Malware Driving the Initial Access Broker Market. Retrieved September 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Splunk Threat Research Team. (2023, June 1). Do Not Cross The ‘RedLine’ Stealer: Detections and Analysis. Retrieved September 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Yair Herling. (2023, April 4). From ChatGPT to RedLine Stealer: The Dark Side of OpenAI and Google Bard. Retrieved September 17, 2025. ↩↩↩↩↩↩↩↩
-
Mohansundaram M, Neil Tyagi. (2024, April 17). Redline Stealer: A Novel Approach. Retrieved September 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩