During the analysis, ESET identified over 1,000 unique IP addresses used to host the malware's control panels. From the study of the source code and backend samples, it was found that RedLine Stealer and META Stealer share the same author
Researchers of ESET, a global European leader in the cybersecurity market, following the dismantling of RedLine Stealer by international authorities, have made public research into the previously undocumented backend modules of this infostealer. Technical analysis offers a broader understanding of how this malware-as-a-service (MaaS) empire works. By 2023, ESET researchers, in collaboration with law enforcement, had collected several modules used to manage the RedLine Stealer infrastructure.
On October 24, 2024, as part of Operation Magnus, the Dutch police, FBI, Eurojust and other law enforcement organizations dismantled the operations of the RedLine Stealer and its META Stealer clone. This global operation led to the dismantling of three servers in the Netherlands, the seizure of two domains, the arrest of two people in Belgium and the formalization of charges against an alleged perpetrator in the United States.
In April 2023, ESET participated in a partial disruption operation of the RedLine malware, removing several GitHub repositories used as “dead-drop resolvers” for the malware's control panel. At that time, ESET Research had analyzed, in collaboration with Flare researchers, backend modules of this malware family that had never been documented before. These modules do not interact directly with the malware, but handle authentication and provide control panel functionality.
"We were able to identify over 1,000 unique IP addresses used to host RedLine control panels. The 2023 versions of the RedLine Stealer analyzed by ESET used the Windows Communication Framework for communications between components, while the latest 2024 version uses a REST API. By analyzing the source code and backend samples, we determined that RedLine Stealer and META Stealer were designed from the same source," he explains Alexandre Côté Cyr, ESET researcher who studied the two infostealers.
The identified IP addresses hosted RedLine panels, with 20% located in Russia, Germany, and the Netherlands, respectively, and 10% in the United States and Finland. ESET has also identified several distinct backend servers, mostly deployed in Russia (around a third), with the UK, Netherlands and Czech Republic each accounting for around 15%.
RedLine Stealer is malware created for information theft, discovered in 2020. It is not centralized, but operates on a MaaS model where anyone can purchase a turnkey solution on various online forums and Telegram channels. Customers, called affiliates, can choose between a monthly subscription or a lifetime license. In exchange, they receive a control panel that generates malware samples and acts as a Command & Control (C&C) server. The generated samples can collect a wide range of information, such as local cryptocurrency wallets, cookies, credentials and credit card details saved in browsers, as well as data from Steam, Discord, Telegram and several VPN desktop applications.
"Using a ready-made solution makes it easier for affiliates to integrate RedLine Stealer into larger campaigns. Significant examples include distribution in the form of fake ChatGPT free downloads in 2023 or, in the first half of 2024, as video game cheats," adds Côté Cyr.
Before Operation Magnus, RedLine was one of the most popular infostealers, with a very large number of affiliates using its control panel. However, it appears that the entire malware-as-a-service enterprise was orchestrated by a small number of individuals, some of whom have now been identified by law enforcement.
