Back to overview

Threat intelligence

RedLine Info-Stealer Targets Crypto Wallets, VPN Credentials and Browser Cookies

by Security News

Overview

RedLine Stealer is a .NET-based info-stealer malware sold as malware-as-a-service, designed to exfiltrate sensitive data from infected systems. It targets browsers to steal saved passwords, cookies, credit card data, and autofill information by decrypting Chromium and Firefox SQLite databases using extracted master keys. It aggressively searches for cryptocurrency wallets—including desktop applications and browser extensions like MetaMask and Phantom—by scanning local directories and extension folders. RedLine also harvests Discord tokens, VPN credentials, Steam files, FTP logins, and user documents matching keywords like "wallet" or "seed." It profiles the system (hardware, OS, antivirus, IP geolocation), takes screenshots, and transmits all stolen data to attacker-controlled C2 servers.

The malware binary is not obfuscated. A quick extraction of Unicode strings in the malware binary reveals some of its intentions:

1.png
Figure 1: Strings analysis

The code is written in .NET. After decompiling the code, we can see various functions. One such function is written to steal cookies from a browser’s SQLite database. This gives the threat actors easy access to active email and banking sessions:

2.png
Figure 2: Browser cookie extraction function

Digging further through the code, we can see a full list of services that the malware will extract data from. This includes browsers, games, and VPN services:

3.png
Figure 3: Additional extraction features

The malware also targets various crypto wallets installed as browser extensions:

4.png
Figure 4: Targeted crypto wallet browser extensions

As soon as the malware is executed, data is gathered and sent to a remote C2 server controlled by the threat actors. A handshake is performed initially between the infected computer and the C2 server. All messages are transferred using the SOAP messaging protocol:

5.png
Figure 5: Initial handshake with C2 server

A list of commands is sent to the infected machine. In this case, browser details, Discord, Telegram, VPN, crypto wallets, and Steam account information is requested by the C2 server:

6.png
Figure 6: Data request commands

The first batch of exfiltrated data includes some system information and a desktop screenshot of the infected system encoded in base64:

7.png
Figure 7: Desktop screenshot sent in base64 format

We had an Electrum wallet (for malware analysis purposes) installed on the system. This data was observed being sent to the C2 server:

8.png
Figure 8: Base64 encoded crypto wallet data sent

9.png
Figure 9: Decoded crypto wallet data that was sent out

SonicWall Capture Labs provides protection against this threat via the following signature:
GAV: Redline.STL (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Related Articles

  • Pixels of Deception: How VMDetector Loader Hides in Plain Sight
    Read More
  • Citrix NetScaler Devices Memory Leak: CVE-2025-5777
    Read More