The notorious RedLine Stealer is back with a bag of old and new tricks to target users. The highlight point of this campaign is that the attackers had leveraged the PureCrypter injection module to deploy the infostealer.

More deets about the campaign

  • According to the Qualys Threat Research Team, the campaign distributing the RedLine InfoStealer was active from January to March.
  • The campaign made use of cracked software enclosed within Zip archives.
  • These fake software imitated legitimate cryptocurrency or NFT wallet applications such as Gigaland NFT marketplace and Dinox (NFT-themed collectible game) to lure users.
  • Users were redirected to these cracked software archives via URL shorteners and fake sites hosted on Discord’s CDN. 
  • Once the victim clicked on these fake archives, PureCrypter downloader was deployed and later executed RedLiner Stealer. 

About PureCrypter

  • PureCrypter is a fully-featured loader being sold since March 2021.
  • It is being sold by a threat actor that goes by the name ‘PureCoder’ in the underground forum at a price of $59.
  • Written in .NET language and obfuscated with SmartAssembly, the loader is capable of delivering a variety of remote access trojans and information-stealers.

Recent RedLine Stealer observed

  • In May, researchers discovered a campaign using a series of YouTube videos to distribute RedLine Stealer.
  • These videos took advantage of the global interest in NFTs and lured victims to buy Binance NFT Mystery Boxes when available. 
  • In another incident, the operators of the info-stealer were observed making use of the RIG Exploit Kit to spread the malware.


RedLine has become one of the most widely used infostealers due to its wide range of capabilities and a thriving structured underground Malware-as-a-Service (MaaS) market. As the operators continue to expand their scope of attacks, it is likely that there will be more attack vectors and new tactics to inject the malware which is capable of stealing sensitive data from infected machines.

Cyware Publisher