Skip to content

RedLine Stealer

Also known as: RECORDSTEALER

RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.

C2 Infrastructure

Hosting/VPS 100%

Last 7 days

Jul 14, 2026
C2 Hosts: 2
Jul 12, 2026
C2 Hosts: 1
Jul 11, 2026
C2 Hosts: 1
Jul 9, 2026
C2 Hosts: 1
Jul 8, 2026
C2 Hosts: 1

Further Reading

PrivateLoader: the loader of the prevalent ruzki PPI service opens in a new tab

PrivateLoader is a downloader malware family. It is used as part of a PPI service, to deliver payloads of multiple malware families.

blog.sekoia.io
Identifying Simple Pivot Points in Malware Infrastructure - RisePro Stealer opens in a new tab

Identifying Simple pivot points in RisePro Stealer Infrastructure using Censys.

embee-research.ghost.io
Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples) opens in a new tab

More interesting and practical queries for identifying malware infrastructure.

embee-research.ghost.io
Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples) opens in a new tab

More interesting and practical queries for identifying malware infrastructure.

embeeresearch.io
Stargazers Ghost Network - Check Point Research opens in a new tab

Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accoun...

research.checkpoint.com
NullMixer drops Redline Stealer, SmokeLoader and other malware opens in a new tab

NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others.

securelist.com
Tracking PrivateLoader: Malware Distribution Service | Bitsight Research opens in a new tab

Latest analysis on PrivateLoader continued utilization to distribute info stealers, banking trojans, loaders, spambots, and ransomware on Windows machines.

bitsight.com
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware | CloudSEK opens in a new tab

Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lur...

cloudsek.com
DarkTortilla Malware Analysis opens in a new tab

Learn how Secureworks CTU researchers have identified DarkTortilla samples delivering targeted malicious payloads, benign decoy documents, and executables.

secureworks.com
Botnet C&C | Botnet Threat Update January to June 2025 | Report opens in a new tab
spamhaus.org
Exploring Seychelles: Team Cymru's Tech Adventure opens in a new tab

Explore the beauty of Seychelles and its C(2) Shore with our technology company. Discover the perfect blend of nature and innovation on this breathtaking island.

team-cymru.com
Fake Installers Drop Malware and Open Doors for Opportunistic Attackers opens in a new tab

We recently spotted fake installers of popular software being used to deliver bundles of malware onto victims’ devices. These installers are widely used lures that trick users into opening maliciou...

trendmicro.com
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites opens in a new tab

We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) — namely TeamViewer — for some time now. While previous versions of the malware hav...

trendmicro.com
IPFS: A New Data Frontier or a New Cybercriminal Hideout? | Trend Micro (US) opens in a new tab

In this article, we briefly detail what IPFS is and how it works at the user level, before providing up to date statistics about the current usage of IPFS by cybercriminals, especially for hosting ...

trendmicro.com
CyberGate, RedLine Part of AutoIt Malware Campaign| Zscaler opens in a new tab

The CyberGate RAT and RedLine stealer are being delivered in ongoing campaign using the AutoIt malware. Read more.

zscaler.com
A Malware that Mimics Pirated Software Sites | Zscaler opens in a new tab

Zscaler ThreatLabz researchers discovered ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software

zscaler.com
OneNote | ThreatLabz opens in a new tab

Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.

zscaler.com

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.