The U.S. Department of State has escalated its efforts to combat state-sponsored cyber threats by offering a $10 million reward for information leading to the identification of hackers associated with the RedLine infostealer malware. The announcement specifically names Russian national Maxim Alexandrovich Rudometov as a suspected creator of the malware1. This move aligns with recent FBI and CISA advisories highlighting the growing sophistication of state-aligned cyber operations, including IoT-focused campaigns like HiatusRAT2.
RedLine Malware and State-Sponsored Connections
RedLine, first identified in 2020, is a commodity malware often repurposed by both cybercriminals and state actors. Recent intelligence suggests its integration into broader campaigns targeting critical infrastructure. The malware specializes in credential theft from browsers, VPN clients, and cryptocurrency wallets. According to FBI IC3 reports, RedLine has been distributed via phishing kits and exploit-as-a-service platforms, with infrastructure overlaps observed in APT29 (Cozy Bear) operations1.
The $10M bounty coincides with Lumen Technologies’ disclosure of HiatusRAT, a Chinese-linked campaign exploiting IoT devices (CVE-2021-36260, CVE-2017-7921) to create proxy networks3. Both campaigns demonstrate the blurred lines between criminal and nation-state activities, with tools like Medusa brute-forcing tools being commoditized across threat groups2.
Technical Analysis of Related Threats
The Google search content reveals parallel developments in the IoT threat landscape. HiatusRAT operators use:
- Ingram: Automated scanning for vulnerable Hikvision/Xiongmai devices
- Medusa: Brute-force attacks against Telnet/HTTP ports (see FBI-provided command below)
medusa -h <target_IP> -U /path/to/users.txt -P /path/to/passwords.txt -M http -m DIR:/login.php
Mitre ATT&CK techniques observed include T1190 (Exploit Public-Facing Application) and T1133 (External Remote Services) for persistence4. The malware’s SOCKS5 proxy functionality mirrors tactics seen in VPNFilter, a Russian-state attributed operation.
Mitigation Strategies
CISA’s updated KEV catalog now includes critical IoT vulnerabilities exploited by HiatusRAT5. Recommended actions:
| Vector | Action | Reference |
|---|---|---|
| RedLine distribution | Block IOCs from FBI Flash Alert FL-2025-0428 | IC3 |
| HiatusRAT CVEs | Patch CVE-2021-36260; disable Telnet/HTTP | CISA KEV |
Network segmentation and MFA enforcement for IoT management interfaces are critical, particularly for energy sector organizations using solar monitoring systems6.
Conclusion
The reward offer signals increased U.S. focus on attribution of state-aligned cyber operations. The technical overlap between RedLine and IoT botnets like HiatusRAT suggests evolving collaboration between criminal and nation-state actors. Organizations should prioritize:
- Patch management for IoT devices
- Network traffic analysis for SOCKS5 proxy anomalies
- Threat intelligence sharing via ISAOs
Future advisories are expected to address the AMOS macOS stealer and LockBit 4.0’s resurgence, both mentioned in the Google search content as emerging 2025 threats7.
References
- “Reward Offer for Information on RedLine Malware Actors,” U.S. Department of State, 2025. [Online]. Available: https://www.state.gov
- “HiatusRAT IoT Botnet Advisory,” FBI IC3, Alert CSA 24-1216, 2024. [Online]. Available: https://www.ic3.gov/CSA/2024/241216.pdf
- “Chinese IoT Exploits via HiatusRAT,” Lumen Technologies, 2025. [Online]. Available: https://www.lumen.com
- MITRE ATT&CK Framework, Technique T1190. [Online]. Available: https://attack.mitre.org
- CISA Known Exploited Vulnerabilities Catalog. [Online]. Available: https://www.cisa.gov
- “Solar Power Grid Vulnerabilities,” Forescout Vedere Labs, 2025. [Online]. Available: https://www.forescout.com
- “LockBit 4.0 Resurgence,” Europol, 2025. [Online]. Available: https://www.europol.europa.eu
