November 5, 2024, Bratislava – In the aftermath of a coordinated international law enforcement operation, ESET Research has released an in-depth analysis of the RedLine Stealer malware empire. Known for its expansive Malware-as-a-Service (MaaS) model, RedLine Stealer was dismantled on October 24, 2024, as part of Operation Magnus. This effort, led by Dutch National Police in collaboration with the FBI, Eurojust, and other agencies, resulted in the seizure of critical infrastructure and the apprehension of suspects linked to the operation.
The takedown disrupted three servers in the Netherlands, seized two domains, and led to arrests in Belgium. Charges against a key perpetrator in the U.S. were also unsealed. The operation followed a 2023 collaboration between ESET and law enforcement, during which ESET researchers identified and analyzed undocumented backend modules powering the RedLine infrastructure.
Unveiling the Infostealer’s Backend Operations
ESET’s investigation revealed over 1,000 unique IP addresses hosting RedLine control panels, with significant clusters in Russia, Germany, and the Netherlands, which accounted for approximately 60% of the total. Other notable locations included Finland and the United States, each hosting about 10% of the panels. RedLine’s backend infrastructure, distributed globally, had a concentration of servers in Russia, with smaller shares in the UK, the Netherlands, and the Czech Republic.
RedLine Stealer, first identified in 2020, functions as a MaaS operation. Affiliates purchase access to its malware through subscriptions or lifetime licenses. These affiliates use RedLine to steal a wide range of sensitive information, including cryptocurrency wallet data, browser-stored credentials, cookies, credit card details, and user data from popular platforms like Steam, Discord, and Telegram.
A Shared Creator and Evolution of RedLine and META Stealer
ESET researchers identified shared source code and backend infrastructure between RedLine Stealer and its clone, META Stealer, suggesting a common creator. While earlier versions relied on Windows Communication Framework for component interaction, the latest iterations utilize a REST API for enhanced efficiency.
The MaaS model has made RedLine Stealer a tool of choice for cybercriminals. Affiliates have deployed it in large-scale campaigns, including posing as ChatGPT downloads in 2023 and video game cheat software in 2024. Despite its widespread usage, ESET notes that the operation itself is managed by a small, tightly-knit group of individuals, some of whom have now been identified and apprehended.
Operation Magnus: A Landmark Effort
Before its takedown, RedLine Stealer was one of the most prevalent infostealers, with numerous affiliates leveraging its capabilities. Operation Magnus marks a significant blow to this ecosystem, signaling the growing effectiveness of international cooperation in combating cybercrime
Source: Media Release