The famous password thief RedLine is spreading again via YouTube video

Researchers at Netskope Threat Labs have unveiled a new campaign to spread RedLine Stealer, a cheap password theft tool sold on hacker forums. The malware is spreading through several YouTube videos using global interest in NFT.

Bait is a bot offer that allows the user to automatically purchase Binance NFT Mystery Boxes when they become available. However, the bot is fake. The descriptions of the mentioned YouTube videos lead the victims to unknowingly download RedLine Stealer from the GitHub link, warned Netskope Threat Labs.

RedLine Stealer is already known for abusing YouTube videos for distribution, and now GitHub is also being misused.

Netskope unveiled the campaign in April.

“Although RedLine Stealer is a cheap malware, it offers many opportunities that can cause serious harm to its victims, such as the loss of sensitive data,” said Gustavo Palacolo, a malware analyst at Netskop.

NFT bait is simple: Binance releases Mystery Boxes in a limited offer, at a relatively low price, but they may contain digital assets more valuable than the purchase price.

Videos are located on the YouTube channel under the name “Andres Jimenez”, which has about 400 subscribers. All YouTube videos contain a link to the same GitHub URL that leads to a file called “”.

When Palacolo opened the zip file, it found the packaged RedLine (“ v.1.3.exe”) and the Microsoft Visual C ++ Redistributable installer (“VC_redist.k86.exe”).

The malware will not start if the infected computer is located in Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Ukraine and Uzbekistan.

Palacolo says that the GitHub account that owns the “NFTSupp” repository started working in March 2022. The same repository contains 15 additional compressed files with five different RedLine Stealer samples that differ slightly.
RedLine allows attackers to gain access to system information such as usernames, hardware, installed web browsers and antivirus software, before retrieving passwords, credit card information, crypto wallets and VPN logins from the system.

With RedLine Stealer, hackers have the ability to extract login information from web browsers, FTP clients, email apps, messaging apps, and VPNs that they can sell on the black market.

The vast majority of stolen passwords currently sold on two underground dark web markets were collected using RedLine Stealer malware.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!