May 30, 2026
C2 Hosts: 9
RedLine Stealer
Also known as: RECORDSTEALER
RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.
C2 Infrastructure
Hosting/VPS 72%
Unknown 19%
Business 4%
ISP/Residential 4%
sinkhole 2%
Last 7 days
May 29, 2026
C2 Hosts: 29
May 28, 2026
C2 Hosts: 15
May 27, 2026
C2 Hosts: 8
May 26, 2026
C2 Hosts: 1
May 25, 2026
C2 Hosts: 2
May 24, 2026
C2 Hosts: 13
| Date | C2 Hosts |
|---|---|
| May 30, 2026 | 9 |
| May 29, 2026 | 29 |
| May 28, 2026 | 15 |
| May 27, 2026 | 8 |
| May 26, 2026 | 1 |
| May 25, 2026 | 2 |
| May 24, 2026 | 13 |
Further Reading
PrivateLoader: the loader of the prevalent ruzki PPI service
PrivateLoader is a downloader malware family. It is used as part of a PPI service, to deliver payloads of multiple malware families.
blog.sekoia.io
Identifying Simple Pivot Points in Malware Infrastructure - RisePro Stealer
Identifying Simple pivot points in RisePro Stealer Infrastructure using Censys.
embee-research.ghost.io
Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)
More interesting and practical queries for identifying malware infrastructure.
embee-research.ghost.io
Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)
More interesting and practical queries for identifying malware infrastructure.
embeeresearch.io
Stargazers Ghost Network - Check Point Research
Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accoun...
research.checkpoint.com
NullMixer drops Redline Stealer, SmokeLoader and other malware
NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others.
securelist.com
Tracking PrivateLoader: Malware Distribution Service | Bitsight Research
Latest analysis on PrivateLoader continued utilization to distribute info stealers, banking trojans, loaders, spambots, and ransomware on Windows machines.
bitsight.com
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware | CloudSEK
Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lur...
cloudsek.com
DarkTortilla Malware Analysis
Learn how Secureworks CTU researchers have identified DarkTortilla samples delivering targeted malicious payloads, benign decoy documents, and executables.
secureworks.com
Botnet C&C | Botnet Threat Update January to June 2025 | Report
spamhaus.org
Exploring Seychelles: Team Cymru's Tech Adventure
Explore the beauty of Seychelles and its C(2) Shore with our technology company. Discover the perfect blend of nature and innovation on this breathtaking island.
team-cymru.com
Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
We recently spotted fake installers of popular software being used to deliver bundles of malware onto victims’ devices. These installers are widely used lures that trick users into opening maliciou...
trendmicro.com
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) — namely TeamViewer — for some time now. While previous versions of the malware hav...
trendmicro.com
IPFS: A New Data Frontier or a New Cybercriminal Hideout? | Trend Micro (US)
In this article, we briefly detail what IPFS is and how it works at the user level, before providing up to date statistics about the current usage of IPFS by cybercriminals, especially for hosting ...
trendmicro.com
CyberGate, RedLine Part of AutoIt Malware Campaign| Zscaler
The CyberGate RAT and RedLine stealer are being delivered in ongoing campaign using the AutoIt malware. Read more.
zscaler.com
A Malware that Mimics Pirated Software Sites | Zscaler
Zscaler ThreatLabz researchers discovered ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software
zscaler.com
OneNote | ThreatLabz
Zscaler ThreatLabz team observed multiple OneNote malware campaign spreading RATs, Bankers, and Stealer category malware with multi-layer obfuscation.
zscaler.com