Following an international law enforcement takedown of the RedLine Stealer malware-as-a-service (MaaS) operation in October 2024, ESET researchers have published a technical analysis of the infostealer’s backend infrastructure. The research reveals how RedLine operated as a turnkey cybercrime solution, with key findings including Operation Magnus which dismantled three Dutch servers, seized domains, and resulted in arrests. Over 1,000 unique IP addresses hosted RedLine control panels globally, with the 2024 version migrating from Windows Communication Framework to REST API architecture.
Technical Breakdown of RedLine’s Backend Systems
The ESET research team obtained multiple backend modules after collaborating with law enforcement agencies during the 2023 investigation. These components reveal how the MaaS operation functioned at scale, with the 2023 backend consisting of two primary .NET modules: RedLine.Nodes.DbController which managed affiliate authentication and advertisement data, and RedLine.Nodes.LoadBalancer which handled sample generation on port 8778.
The 2024 version consolidated functionality into a single Nodes.Api module that implemented a REST API architecture with endpoints for affiliate authentication, malware sample generation, and license management. This migration from WCF to REST APIs shows these operators were adapting to modern infrastructure trends, making detection more challenging for security teams.
Authentication and Infrastructure Analysis
RedLine employed multiple authentication schemes across versions, including GitHub dead-drop resolvers in 2023 that used AES-CBC with static key/IV, which ESET disrupted by having GitHub remove repositories. The operation then temporarily switched to Pastebin as a fallback before the final 2024 version used static URLs with shared infrastructure between RedLine and META Stealer.
ESET’s telemetry revealed the geographic distribution of RedLine’s operational infrastructure, with control panel hosting spread across Russia, Germany, and the Netherlands (about 20% each), and Finland and the United States (about 10% each). Backend servers were primarily located in Russia (33%), with the UK, Netherlands, and Czech Republic hosting about 15% each.
The RedLine-META Stealer Connection
Forensic analysis confirmed RedLine and META Stealer share an identical codebase, with string replacements from “RedLine” to “Meta” in META variants and the same commented-out code segments. Both stealers used certificates issued to AMCERT, LLC with the same Sectigo-issued signing credentials, and shared the Nodes.Api module backend with identical REST API endpoints serving both operations.
This connection demonstrates how malware developers often rebrand or fork their creations to evade detection while maintaining the same underlying infrastructure and functionality. The shared components provide defenders with additional indicators to detect both variants through certificate monitoring and API endpoint analysis.
Detection and Mitigation Strategies
For security teams, key detection opportunities include monitoring for WCF traffic on port 8778 (legacy versions), flagging executables signed with AMCERT, LLC certificates, and detecting Protobuf-encoded data in unusual file locations. System administrators should revoke any certificates matching the documented thumbprints and implement certificate pinning for critical services.
The takedown of RedLine Stealer represents a significant disruption to the infostealer MaaS ecosystem, but organizations should remain vigilant for copycat operations using similar architectures. By understanding the technical details of these backend systems, defenders can better prepare to detect and mitigate future threats in this evolving landscape.
