Redline Stealer, which is currently being distributed, has changed the C2 communication method and the way of delivering the collected information from the previous Redline Stealer, but the overall execution flow is the same.

Redline Stealer has hard-coded encoded data such as C2 Server IP and Unique ID, and the XOR Key required to decode this data. When Redline is executed, the value is extracted first. After that, the information is collected and leaked by referring to the configuration data received from the C2 server, and the collected information is composed of Environment Details and Credential Details. The collected information includes system information, browser credentials, crypto wallet information, FTP information, Telegram and Discord information, etc.

After collecting and leaking information, Redline Stealer also has the ability to download executable files and perform additional malicious actions.

👉You can read the full report in S2W Blog: