S1240: RedLine Stealer
RedLine Stealer is an information-stealer malware variant first identified in 2020.[1][2][3] RedLine Stealer is a Malware as a Service (MaaS) and was reportedly sold as either a one-time purchase or a monthly subscription service.[1][4] Information obtained from RedLine Stealer has been known to be sold on the deep and dark web to Initial Access Brokers (IABs), who use or resell the stolen credentials for further intrusions.[5][4]
Analyst context for executives and security teams
RedLine Stealer matters because ATT&CK describes it as Windows information-stealer malware delivered as Malware-as-a-Service, with stolen information known to be sold to Initial Access Brokers. For leaders, the key risk is not only the infected endpoint; it is the downstream business exposure created when browser data, local files, system details, screenshots, and credentials can become fuel for follow-on intrusions.
Executive priority
Prioritize RedLine Stealer as an identity and incident-response readiness issue, not just an endpoint malware issue. Executives should ask whether the organization can quickly identify affected Windows users, revoke or rotate exposed credentials, preserve endpoint and network evidence, and prove to auditors that malware execution, persistence, discovery, collection, command-and-control, and exfiltration controls are being monitored. Budget decisions should emphasize endpoint visibility, credential hygiene, web/C2 monitoring, and playbooks for infostealer-driven account compromise.
Technical view
ATT&CK provides no official detection text for S1240, so SOC and detection engineering teams should validate coverage through its documented behavior relationships. On Windows, test visibility for malicious-file execution, cmd.exe and Lua-related execution where applicable, scheduled task creation, registry queries, local account/user/system/browser discovery, local data collection, screen capture, msiexec proxy execution, packed or encoded payloads, deobfuscation activity, web-protocol C2, web-service use, ingress tool transfer, standard-encoded C2 data, and exfiltration over C2. IR teams should treat confirmed activity as both malware containment and possible credential exposure requiring identity scoping.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows scheduled task creation/modification events
- Windows Registry access/query telemetry
- File creation, modification, execution, packing/encoding indicators, and suspicious local data access
- Browser data access indicators on endpoints
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on a single RedLine signature, because the official object does not provide detection guidance.
- Correlate suspicious user-executed files with follow-on discovery, browser information access, local file collection, and outbound web traffic.
- Tune for Windows LOLBin and scripting context, especially cmd.exe, msiexec.exe, scheduled tasks, registry queries, and encoded or obfuscated command/file patterns.
- Review web traffic detections for blind spots caused by common HTTP/S or legitimate web-service use, since those channels can blend with normal activity.
- Account for false positives from administrators, installers, software inventory tools, and legitimate scheduled tasks by requiring behavioral chains and endpoint context.
Mitigation priorities
- Reduce user-driven execution risk with attachment/file execution controls, user awareness, and least-privilege workstation practices.
- Harden Windows endpoints with application control, endpoint protection, and visibility for scheduled tasks, msiexec abuse, registry discovery, and command-shell activity.
- Limit credential exposure by strengthening password management, MFA coverage, credential rotation processes, and rapid account disablement workflows after suspected infostealer activity.
- Improve outbound network governance with proxy/DNS logging, egress controls, and review of unusual web-protocol or web-service communications from endpoints.
- Prepare IR playbooks that combine endpoint containment, forensic preservation, credential reset, session/token review where applicable, and monitoring for follow-on access attempts.
Analyst notes and limits
The most decision-useful context is RedLine Stealer’s Malware-as-a-Service model and the ATT&CK statement that information obtained by it has been known to be sold to Initial Access Brokers. That makes the response priority broader than malware removal: defenders should assume potential downstream identity risk until local evidence proves otherwise. The object platform is Windows; several related ATT&CK techniques list broader platforms generically, but this take applies them only in the context of the supplied RedLine Stealer object.
MITRE supplies no official detection text, aliases, labels, or explicit tactics on the malware object. The behavioral guidance here is derived from the supplied relationships and descriptions only. Local validation is required to determine whether RedLine-like behavior occurred, what data was accessed, whether credentials were exposed, and whether existing controls provide sufficient coverage.
RedLine Stealer
RedLine Stealer is an information-stealer malware variant first identified in 2020.[1][2][3] RedLine Stealer is a Malware as a Service (MaaS) and was reportedly sold as either a one-time purchase or a monthly subscription service.[1][4] Information obtained from RedLine Stealer has been known to be sold on the deep and dark web to Initial Access Brokers (IABs), who use or resell the stolen credentials for further intrusions.[5][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553.002 | Code Signing Sub-technique | RedLine Stealer has used both valid certificates and self-signed digital certificates to appear legitimate.CitationESET RedLine Stealer November 2024 |
| Enterprise | T1685 | Disable or Modify Tools | RedLine Stealer can disable security software and update services.CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1033 | System Owner/User Discovery | RedLine Stealer has obtained the username from the victim’s machine.CitationProofpoint RedLine Stealer March 2020CitationSplunk RedLine Stealer June 2023CitationVeriti RedLine Stealer MAAS April 2023 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | RedLine Stealer has identified installed antivirus software on the system.CitationKroll RedLine Stealer August 2024CitationVeriti RedLine Stealer MAAS April 2023 |
| Enterprise | T1012 | Query Registry | RedLine Stealer can query the Windows Registry.CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1113 | Screen Capture | RedLine Stealer can capture screenshots on a compromised host.CitationMcAfee RedLine Stealer April 2024CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1204.002 | Malicious File Sub-technique | RedLine Stealer malware has been executed through the download of malicious files.CitationESET RedLine Stealer November 2024CitationKroll RedLine Stealer August 2024CitationVeriti RedLine Stealer MAAS April 2023 RedLine Stealer has also lured users to install malware with an Install Wizard interface.CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1657 | Financial Theft | RedLine Stealer has collected data from cryptocurrency wallets and harvested credit cards details from browsers.CitationESET RedLine Stealer November 2024CitationKroll RedLine Stealer August 2024CitationProofpoint RedLine Stealer March 2020CitationSplunk RedLine Stealer June 2023CitationVeriti RedLine Stealer MAAS April 2023 |
| Enterprise | T1087.001 | Local Account Sub-technique | RedLine Stealer has collected account information from the victim’s machine.CitationProofpoint RedLine Stealer March 2020CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1036 | Masquerading | RedLine Stealer malware has masqueraded as legitimate software such as "PDF Converter Software" which has been distributed through poisoned search engine results often resembling legitimate software lures with the combination of typo squatted domains.CitationKroll RedLine Stealer August 2024 |
| Enterprise | T1027.002 | Software Packing Sub-technique | RedLine Stealer has used obfuscation tools such as DNGuard and Boxed App to pack their code.CitationESET RedLine Stealer November 2024 |
| Enterprise | T1614 | System Location Discovery | RedLine Stealer has gathered detailed information about victims’ systems, such as IP addresses, and geolocation.CitationESET RedLine Stealer November 2024CitationKroll RedLine Stealer August 2024CitationProofpoint RedLine Stealer March 2020 RedLine Stealer has also checked the IP from where it was being executed and leveraged an opensource geolocation IP-lookup service. CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | RedLine Stealer has encrypted and encoded configuration data with Base64 and XOR functions.CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | RedLine Stealer can retrieve system default language and time zone.CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1102 | Web Service | RedLine Stealer has leveraged legitimate file sharing web services to host malicious payloads.CitationProofpoint RedLine Stealer March 2020CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1016 | System Network Configuration Discovery | RedLine Stealer can enumeate information about victims’ systems including IP addresses.CitationKroll RedLine Stealer August 2024 |
| Enterprise | T1059.011 | Lua Sub-technique | RedLine Stealer malware has leveraged Lua bytecode to perform malicious behavior.CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1005 | Data from Local System | RedLine Stealer has collected data stored locally including chat logs and files associated with chat services such as Steam, Discord, and Telegram.CitationESET RedLine Stealer November 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | RedLine Stealer has the ability download additional payloads.CitationKroll RedLine Stealer August 2024CitationVeriti RedLine Stealer MAAS April 2023 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | RedLine Stealer has used Base64 to encode command and control traffic.CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1539 | Steal Web Session Cookie | RedLine Stealer has stolen browser cookies and settings.CitationESET RedLine Stealer November 2024CitationKroll RedLine Stealer August 2024CitationProofpoint RedLine Stealer March 2020CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1217 | Browser Information Discovery | RedLine Stealer can collect information from browsers and browser extensions.CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1555 | Credentials from Password Stores | RedLine Stealer has obtained credentials from VPN services, FTP clients and Instant Messenger (IM)/Chat clients.CitationKroll RedLine Stealer August 2024CitationProofpoint RedLine Stealer March 2020CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | RedLine Stealer was designed to steal sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data.CitationESET RedLine Stealer November 2024 RedLine Stealer can also gather credentials from several browsers.CitationKroll RedLine Stealer August 2024CitationProofpoint RedLine Stealer March 2020CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RedLine Stealer has decoded its payload prior to execution.CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | RedLine Stealer has sent victim data to its C2 server or RedLine panel server.CitationProofpoint RedLine Stealer March 2020 |
| Enterprise | T1218.007 | Msiexec Sub-technique | RedLine Stealer has been installed via MSI Installer.CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1082 | System Information Discovery | RedLine Stealer can collect information about the local system.CitationKroll RedLine Stealer August 2024CitationProofpoint RedLine Stealer March 2020CitationSplunk RedLine Stealer June 2023CitationVeriti RedLine Stealer MAAS April 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | RedLine Stealer has utilized HTTP for C2 communications.CitationMcAfee RedLine Stealer April 2024 RedLine Stealer has also conducted C2 communications to hardcoded C2 servers over HTTPS.CitationESET RedLine Stealer November 2024CitationSplunk RedLine Stealer June 2023 RedLine Stealer has leveraged SOAP protocol for C2 communications.CitationProofpoint RedLine Stealer March 2020 |
| Enterprise | T1480 | Execution Guardrails | RedLine Stealer has built in settings to not operate based on geolocation or country of the victim host.CitationESET RedLine Stealer November 2024CitationProofpoint RedLine Stealer March 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | RedLine Stealer has achieved persistence via scheduled tasks.CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | RedLine Stealer has an anti-sandbox technique that requires the malware to consistently check with the C2 server, if the communication fails RedLine Stealer will not continue execution.CitationSplunk RedLine Stealer June 2023 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | RedLine Stealer has obfuscated scripts within text files used in execution.CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RedLine Stealer has executed windows cmd using `ErrorHandler.cmd` to create scheduled tasks.CitationMcAfee RedLine Stealer April 2024 |
| Enterprise | T1518 | Software Discovery | RedLine Stealer can get a list of programs on the victim device.CitationSplunk RedLine Stealer June 2023 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9db7b3a9008e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET RedLine Stealer November 2024
Alexandre Cote Cyr. (2024, November 8). Life on a crooked RedLine: Analyzing the infamous infostealer’s backend. Retrieved September 17, 2025.
Open source URL -
[2]
Proofpoint RedLine Stealer March 2020
Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025.
Open source URL -
[3]
Splunk RedLine Stealer June 2023
Splunk Threat Research Team. (2023, June 1). Do Not Cross The 'RedLine' Stealer: Detections and Analysis. Retrieved September 17, 2025.
Open source URL -
[4]
Veriti RedLine Stealer MAAS April 2023
Yair Herling. (2023, April 4). From ChatGPT to RedLine Stealer: The Dark Side of OpenAI and Google Bard. Retrieved September 17, 2025.
Open source URL -
[5]
Kroll RedLine Stealer August 2024
George Glass. (2024, August 14). REDLINESTEALER Malware Driving the Initial Access Broker Market. Retrieved September 17, 2025.
Open source URL -
[6]
mitre-attack S1240Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.