The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

RedLine Stealer Delivered Via Fake Windows 11 Update

Mar 14, 2022 1:27:00 PM / by PolySwarm Tech Team



Last month HP published research on RedLine Stealer, a stealer malware being delivered via fake Windows 11 updates. Almost a month later, RedLine Stealer continues to be active in the wild, with new samples surfacing over the past week.

What is RedLine Stealer?

RedLine Stealer is a stealer malware advertised on underground forums. It harvests various types of information including saved credentials, autocomplete data, cryptocurrency, and credit card information. It also takes a system inventory of the victim’s machine, gathering information on the username, location data, hardware configuration, and installed security software. RedLine Stealer can also upload and download files, execute commands, and send information about the infected computer to the C2. RedLine Stealer uses the WCF (Windows Communication Foundation) framework for C2 communication.

According to researchers at S2W, RedLine Stealer was released in 2020 and was originally distributed via malicious links on a YouTube description, masquerading as a free download. RedLine is currently offered as malware-as-a-service (MaaS), with pricing ranging between $100 - $200 USD per month. It was last updated as recently as January 2022.

The threat actors operating RedLine Stealer leverage three Telegram channels for conducting business: an official chat, the official RedLine page, and a Buy RedLine bot. Additionally, stolen logs obtained via RedLine Stealer are sold on an underground forum.


PolySwarm has multiple samples associated with RedLine Stealer. A selection of sample hashes is found below.










You can use the following CLI command to search for all RedLine Stealer samples in our portal:

$ polyswarm link list -f RedlineStealer

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Malware, RedLine Stealer, Microsoft, Windows, Infostealer

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts