What are Redline and Vidar Stealers?

RedLine is an infostealer malware that appeared back in 2020, offered under Malware-as-a-service model. It is appreciated by cybercriminals for its wide functionality, that includes not only automated data gathering, but also manual commands for scanning the directories. And, typically for any stealers, it relies on stealthiness, that is additionally enhanced by a crypter software that comes as a side to the malware.

Vidar is similar but different. Aiming at a similar list of desktop apps, browsers and crypto wallets, it is closer to the definitive stealer. Once it finishes collecting information, all the gathered info is packed into the archive and sent to the command server. When this transfer is over, Vidar performs “melting” – or deletes itself, simply.

RedLine and Vidar Ransomware Delivery

In late summer 2023, the developers of RedLine and Vidar stealers started spreading ransomware under their own rule. The methods of gaining initial access remained the same – crooks send to victims an email with awaited or unpleasant information and an attachment. This attachment – you guessed it right, is a payload. The use of double extensions (pdf.htm, in one of the cases noticed by analysts) is quite typical for such attacks. As Microsoft disabled macros from running when they have come from the Web, the new, and quite old ways of spreading were put into use.

Once the victim runs the file, the chain of executions starts. First, the JScript applet connects to the intermediary server, downloads and executes the .exe file. This file, in turn, initiates the downloading of a PNG picture, which appears to be a bitmap image. Further, the image decodes into a shellcode, which transforms into yet another shellcode, saved to the Temp folder.

The second shellcode is getting launched in a Command Prompt instance spawned by the aforementioned .exe file. This way, the final payload comes into view – an infected console instance of 7-Zip utility. Upon execution, it launches the ransomware attack.

RedLine Uses EV Certificates to Conceal Itself

Another interesting, though not novel tactic used by hackers, is embedding EV certificates into malware. RedLine started using this practice in June 2023, starting with its stealers. Extended Validation (EV) code signing certs appeared as a shortcut for large companies for signing their software. Instead of thorough checks that prime the issue of a regular code certificate, this one needs only the request from a company. To get the right of EV requesting, the co should undergo a 16-stage checkup that verifies all edges of its identity. But, as it commonly happens, cybercriminals found a way to use it for their benefit.

It is not uncommon for certificates to leak, but the trust level is critical this time. Common certs require less authentication to issue, and consequently have less trust. Meanwhile, EV certificates rarely fall under suspicion, and frequent recalls may turn into a problem for the company. There is also no clear info on how EV certificates leaked. In the case of RedLine, such application turns exceptionally threatening due to the number of its samples that appear every day.

How to protect against ransomware?

Surely, modern ransomware amazes with the diversity of evasion techniques and damage done to the system. However, the spreading methods remain more or less the same for most families and samples. Email spam, questionable software downloaded from third-party sources – they have no reason to change a well-working scheme. And your best counteraction to this is your attention with spreading methods.

Do not interact with questionable emails. Hackers commonly use buzzwords that induce urgency of required actions. That is what drastically differs genuine messages from spam ones – companies never do that. Even though some of the messages are styled so they look legit and repeat what you’re waiting for, avoid haste and check the details of the message. Aside from the text style, the email address in spam messages is typically wrong from a normal one. Fortunately, there is no way to hide the sender’s address.

Be diligent to the files from the Internet you are going to run. The trick with double extensions (like .pdf.exe) exists over two decades, and hackers never shy away from using it. Since Windows does not show you the extensions of your files, it is extremely easy to get fooled in such a way. In your File Explorer settings, you can make it showing the extensions. Go to the View button on the upper panel, then click Show → File Name Extensions option in the drop-down list. This will make it much easier to detect such tricky files.

Use a reliable anti-malware software with advanced heuristic features. As you could have guessed, it is quite hard to detect the ransomware from RedLine developers statically. It disguises as deeply encoded files that are hard to identify in any way. Even the final payload masquerades as a legit console utility. In such a sophisticated case, only a heuristic detection method can help. GridinSoft Anti-Malware has multi-stage heuristic analysis with a neural scanning engine on hand. This can effectively detect such threats – try it out!

The post Redline and Vidar Stealers Switch to Ransomware Delivery appeared first on Gridinsoft Blog.

Information is one of our most valuable assets in today’s digital world, making it a prime target for cybercriminals. These threat actors use specialized infostealer malware to extract sensitive data stored on your devices, putting your personal and financial information at serious risk. Cybersecurity experts have reported an alarming 103% increase in infostealer attacks during 2023-2024, with this upward trend showing no signs of slowing down. This comprehensive guide explains what infostealers are, how they work, and most importantly, how to protect yourself from these dangerous threats.

What is an Infostealer?

An infostealer is malicious software specifically designed to collect sensitive information from an infected device and transmit it to attackers. These sophisticated programs target high-value data including:

• Saved browser credentials (usernames and passwords)
• Banking information and credit card details
• Cryptocurrency wallet data and private keys
• Browser cookies and session data
• Email account credentials
• Personal documents and identity information
• Cached form data containing personal information
• System information and installed software details

The attack cycle typically follows a standard pattern: after infection, the infostealer silently collects data and stores it in a designated directory. Once collection is complete, it packages this information and sends it to command-and-control (C2) servers operated by threat actors. The most valuable targets for attackers are financial credentials, cryptocurrency wallet information, and authentication data that can be either monetized directly or sold on dark web markets.

Since 2020, infostealers have experienced unprecedented growth in both sophistication and popularity among cybercriminals. This surge has established three clear market leaders: Raccoon, Vidar, and RedLine Stealer. These threats are continually evolving, with security researchers recently documenting their use in compromising over 100,000 ChatGPT accounts and targeting other high-value platforms.

Major Infostealer Families: Technical Analysis

RedLine Stealer

RedLine emerged on Russian cybercrime forums in March 2020 and quickly became the most profitable credential-stealing malware in the logs marketplace. This sophisticated infostealer is specifically engineered to extract sensitive information from web browsers, including:

• Saved login credentials across all major browsers
• Autocomplete form data containing personal information
• Stored credit card information and payment details
• Cryptocurrency wallet credentials and access information

Upon infection, RedLine conducts a comprehensive system inventory, collecting usernames, geographic location data, hardware configurations, and installed security software. This information helps attackers profile victims and evade detection. Distribution occurs through multiple vectors, including malicious advertisements, cracked software, phishing campaigns, and compromised application downloads.

Raccoon Stealer

First appearing in 2019, Raccoon Stealer pioneered the malware-as-a-service (MaaS) model for infostealers, initially marketed on underground forums before transitioning to Telegram distribution channels. The malware received a significant update in 2022 that enhanced its detection evasion capabilities and expanded its functionality.

What makes Raccoon particularly dangerous is its ability to steal data from:

• More than 60 different web browsers
• Cryptocurrency browser extensions
• Cryptocurrency desktop wallets
• Authentication cookies enabling session hijacking
• Discord tokens and Telegram session data

Interestingly, Raccoon has a controversial reputation within hacker communities, with many users claiming its operators intercept the most valuable stolen logs before providing them to customers. Despite these allegations, Raccoon remains one of the most widely used infostealers, with its data appearing in numerous credential harvesting operations and follow-up attacks.

Vidar Stealer

Vidar represents the “hit-and-run” category of infostealers, designed for maximum data extraction with minimal footprint. First detected in 2019 during a malvertising campaign, Vidar was distributed alongside GandCrab ransomware using the Fallout exploit kit.

Built using C++ and derived from the earlier Arkei stealer, Vidar is commercially available on underground forums and Telegram channels. Its distinguishing feature is a comprehensive admin panel that allows customers to configure targeting parameters and monitor their botnet of infected systems.

Vidar’s data harvesting capabilities include:

• Browser artifacts (history, cookies, saved passwords)
• Cryptocurrency wallet files and credentials
• PayPal and banking service information
• Two-factor authentication backup codes
• Session tokens for various online services
• Screenshots of the victim’s desktop and active windows

After completing data collection, Vidar executes a “meltdown” procedure, effectively removing itself from the infected system to avoid detection and forensic analysis. This self-deletion capability makes Vidar particularly challenging to detect and analyze after an attack has occurred.

How Infostealers Spread: Common Infection Vectors

Cybercriminals employ various sophisticated distribution methods to deploy infostealers on target systems. Understanding these attack vectors is crucial for effective prevention:

• Pirated Software and Cracked Applications

  Threat actors frequently bundle infostealers with pirated software downloads. These modified applications appear to function normally while silently installing malware in the background. The increased sophistication of modern infostealers makes them particularly difficult to detect in compromised software packages.

• Malvertising Campaigns

  Exploit kits deployed through malicious online advertisements remain one of the most prevalent distribution methods. When users click on these ads, they may unknowingly trigger an infostealer download, or be redirected to phishing sites that deploy the malware. In advanced attacks, even simply viewing the advertisement can initiate a drive-by download through browser exploits.

• System Compromises and Supply Chain Attacks

  Once attackers gain initial access to a system through other means, they often deploy infostealers as secondary payloads. This approach is particularly common in supply chain attacks where legitimate software update mechanisms are compromised to distribute malware to thousands of systems simultaneously.

• Phishing and Social Engineering

  Sophisticated phishing campaigns remain highly effective at delivering infostealers. Attackers impersonate legitimate organizations in emails containing malicious attachments or links to compromised websites. These communications may be sent to large groups (mass phishing) or carefully tailored for specific individuals or organizations (spear phishing).

Technical Methods Used by Infostealers to Extract Data

Modern infostealers employ several sophisticated techniques to extract sensitive information from infected systems:

• Browser Database Extraction

  Infostealers specifically target browser data storage files such as Login Data, Web Data, and Cookies in Chrome-based browsers, or logins.json and cookies.sqlite in Firefox. These files contain encrypted credentials that the malware decrypts using built-in browser functions or by extracting encryption keys from the system.

• Memory Scraping

  Advanced infostealers scan process memory for patterns matching passwords, credit card numbers, and other sensitive data. This technique captures information that might only exist temporarily in memory during browser sessions, bypassing disk encryption and other security measures.

• Form Grabbing and Web Injection

  By hooking into browser processes, infostealers can intercept data as it’s being entered into web forms before encryption or transmission. This approach captures credentials even when they aren’t stored locally, making it effective against security-conscious users who disable password saving features.

• API Hooking and DLL Hijacking

  Infostealers often modify system functions through API hooking or DLL hijacking to intercept cryptographic operations, redirect network traffic, or capture authentication data as it’s processed by the operating system.

How to Protect Your System from Infostealers

Implementing these essential security practices will significantly reduce your risk of infostealer infections:

• Keep Software Updated

  Infostealers frequently exploit known browser vulnerabilities and security flaws in operating systems. Install updates for your OS, browsers, and applications immediately when available to patch these vulnerabilities before they can be exploited.

• Practice Safe Browsing Habits

  Exercise caution when opening email attachments or clicking links, especially from unknown sources. Infostealers commonly spread through malicious email attachments and compromised websites. Be particularly suspicious of emails that don’t address you by name or contain generic urgency messages. Always verify URLs before clicking and ensure you’re visiting legitimate websites.

• Implement Multi-Factor Authentication

  Multi-factor authentication (MFA) provides critical protection against credential theft. Even if an infostealer successfully captures your passwords, MFA requires an additional verification method, significantly reducing the risk of account compromise. Whenever possible, use hardware security keys or authenticator apps rather than SMS-based verification.

• Avoid Pirated Software

  Pirated software frequently contains malware, providing a revenue stream for the cracking groups distributing them. Use only legitimate applications from official sources. Today’s software ecosystem offers numerous free, freemium, and open-source alternatives for most applications, eliminating the need to risk using pirated software.

• Use Dedicated Security Software

  Deploy comprehensive anti-malware protection that includes real-time monitoring and behavioral detection capabilities. GridinSoft Anti-Malware provides specialized detection for infostealers and other advanced threats, offering protection against even the newest variants through its heuristic analysis engine.

How to Detect and Remove Infostealers

If you suspect your system may be infected with an infostealer, look for these warning signs:

• Unexpected browser performance issues or crashes
• Modified browser settings or homepage changes
• Unusual network activity, particularly during idle periods
• Unexpected authentication prompts from websites you’ve previously logged into
• Unauthorized account activity or transaction notifications
• New, unfamiliar processes in Task Manager

Automatic Removal with GridinSoft Anti-Malware

For effective detection and removal of infostealers, we recommend using specialized anti-malware software. GridinSoft Anti-Malware is specifically designed to identify and eliminate sophisticated threats that traditional antivirus programs might miss.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Post-Infection Security Measures

After removing an infostealer, take these additional steps to secure your digital identity:

1. Change all passwords from a different, clean device
2. Enable multi-factor authentication on all important accounts
3. Monitor financial statements for unauthorized transactions
4. Check login activity logs for your important online accounts
5. Consider credit monitoring services if financial information may have been compromised

Frequently Asked Questions About Infostealers

Conclusion

Infostealers represent one of the most significant threats to personal and financial security in today’s digital landscape. Their sophisticated data extraction capabilities and continuous evolution make them challenging adversaries. By understanding how these threats operate and implementing the recommended security practices, you can significantly reduce your risk of infection and data compromise.

Remember that security is an ongoing process, not a one-time implementation. Regular software updates, cautious online behavior, and periodic security scans are essential components of an effective defense strategy against infostealers and other digital threats.

The post Infostealers: How to Detect, Remove and Prevent Information-Stealing Malware in 2025 appeared first on Gridinsoft Blog.

ChatGPT in a Nutshell

Perhaps every active Internet user has at least heard of a chatbot from OpenAI. Is it worth mentioning that many use it for study or work? This bot can do a lot, for example, give advice, and the recipe for your favorite dishes, find an extra semicolon and comma in the code, or even rewrite the code. Even this text was written by ChatGPT (joke). While some users use ChatGPT as a key generator for Windows, others embed it in their enterprise processes. The latter is most interesting to attackers since ChatGPT saves the entire history of conversations by default.

ChatGPT Accounts Are Compromised by Stealer Malware

According to a new report, 101,134 accounts were compromised by info stealer malware. Researchers found stolen information logs about these credentials illegally sold on darknet marketplaces over the past year. In addition, attackers stole most accounts between June 2022 and May 2023. The epicenter was Asia-Pacific (40.5%), with India (12,632 accounts), Pakistan (9,217 accounts), and Brazil (6,531 accounts). The Middle East and Africa came in second place with 2,925 accounts, followed by Europe in third place with 16,951 accounts. Next comes Latin America with 12,314 accounts, North America with 4,737, and the CIS with 754 accounts. The affiliation of 454 compromised accounts is not specified.

Tools for accounts compromise

As mentioned above, cybercriminals stole information using specific malware, exactly – stealers. This malware is specifically tuned to steal specific information. In this case, the attackers used Raccoon Stealer, who stole 78,348 accounts; Vidar, which stole 1,984 accounts; and Redline Stealer, that stole 6,773 accounts. Although it is widely believed that the Raccoon group has degenerated, this did not prevent it from stealing the most accounts. This is probably because this malware is so widespread that it continues to function even after it has been blocked by more security-conscious organizations by more security-conscious organizations.

Causes

At first glance, it may seem more reasonable to steal bank data. However, there are several reasons for the high demand for ChatGPT accounts. First, the attackers are often in countries where chatbot does not work. Residents of countries such as Russia, Iran, and Afghanistan are trying to access the technology at least that way. Accounts with paid subscriptions are prevalent.

Second, as mentioned initially, many organizations use ChatGPT in their workflows. In addition to the fact that employees often use it and may unknowingly enter sensitive information (this has happened, too), some businesses integrate ChatGPT into their workflow. For example, employees may maintain secret correspondence or use the bot to optimize proprietary code. Because ChatGPT stores the history of user queries and AI responses, this information can be seen by anyone with access to the account. Such accounts are precious on the darknet, and many are willing to pay good money to get them.

Security Recommendations

However, users can reduce the risks associated with compromised ChatGPT accounts. I recommend enabling two-factor authentication and updating your passwords regularly. 2FA will be a pain in the ass and deny attackers from logging into your account even if they know your username and password. Regular password changes are an effective tool against password leaks. Besides, you can disable the “Chat history & training” checkbox or manually clear conversations after each conversation.

The post Over 100k ChatGPT Accounts Are For Sale on the Darknet appeared first on Gridinsoft Blog.

ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline.

Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport and Raccoon Stealer malware spreads masked as Cloudflare warnings.

Also information security specialists reported that Raccoon malware steals data from 60 different applications.

For the first time, analysts noticed the advertisement of the new malware back in January, and in February it began to actively gain popularity.

On hack forums and Telegram channels, Stealc is advertised by someone under the nickname Plymouth. He says that the malware is a “non-resident stealer with flexible settings and a convenient admin panel.”

Advertisement Stealc

In addition to the usual targeting of data from browsers, extensions and cryptocurrency wallets for such malware (the malware targets 22 browsers, 75 plugins and 25 desktop wallets), Stealc can also be configured to capture certain types of files that the malware operator wants to steal.

Configuration Instructions for Browser Attacks

The advertisement notes that when developing Stealc, its authors relied on solutions already existing “on the market”, including Vidar, Raccoon, Mars and Redline.

Sekoia analysts noticed that Stealc, Vidar, Raccoon, and Mars have in common that they all load legitimate third-party DLLs (eg sqlite3.dll, nss3.dll) to steal sensitive data. The researchers also say that the organization of communication with the control server of one of the samples of the new stealer they analyzed is similar to Vidar and Raccoon.

In total, the researchers identified more than 40 Stealc C&C servers and several dozen malware samples. According to them, this indicates that the new malware has aroused considerable interest among the cybercriminal community.

Malware development

One of Stealc’s distribution methods that researchers have already discovered is YouTube videos that describe how to install the cracked software and contain links to download sites. In such programs, a stealer is built in, which starts working and communicates with the control server after the installer is launched.

Site distributing stealer

According to experts, hacker clients with access to the Stealc administration panel can generate new stealer samples, and this increases the chances of the malware leaking and making it available to a wider audience in the future.

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.