RedLine Stealer fake NFT mystery box bot|Screen-Shot-2022-05-12-at-2.50.06-PM

Password stealer now spreading from a GitHub link that uses NFT content as bait

Researchers have discovered a fresh campaign to spread the RedLine Stealer — a low-cost password stealer sold on underground forums — through a series of YouTube videos that take advantage of the global interest in NFTs.

The lure is the offer of a bot allowing a user to automatically buy Binance NFT Mystery Boxes when they become available. The bot is fake, though. The video descriptions on the YouTube pages lead victims to unwittingly download RedLine Stealer from a GitHub link, according to Gustavo Palazolo, a malware analyst with Netskope Threat Labs.

“RedLine Stealer was already known for abusing YouTube videos to spread through fake themes, however, we saw in this campaign that the attacker is also abusing GitHub in the attack flow, to host the payloads," Palazolo said. Netskope discovered the campaign in April.

“Although RedLine Stealer is a low-cost malware, it offers many capabilities that could cause serious damage to its victims, such as the loss of sensitive data,” Palazolo said. 

The NFT hook is simple: Binance issues the Mystery Boxes in limited supply, for relatively low cost, but they can contain digital assets worth more than the purchase price.

The videos are hosted on a YouTube channel under the name “Andrés Jiménez,” who has nearly 400 subscribers.

Four of the videos are still up on YouTube. Google, YouTube’s parent company, did not respond to requests for comment.


A screenshot of the YouTube page with the malicious links.

All of the YouTube videos include a link to the same GitHub URL that leads to a file named “BinanceNFT.bot v.1.3.zip.”

When Palazolo decompressed the zip file, he found the packed RedLine sample (“BinanceNFT.bot v.1.3.exe”) and a Microsoft Visual C++ Redistributable installer (“VC_redist.x86.exe”).

“The 'README.txt' file contains the instructions that should be followed to run the fake NFT bot, including installing the Microsoft Visual C++. This is probably needed as RedLine is developed in .NET and it is also unpacked and injected into an executable from this framework,” Palazolo explained. 

The malware does not execute, Palazolo said, if the infected computer is detected in any of these countries:

  • Armenia
  • Azerbaijan
  • Belarus
  • Kazakhstan
  • Kyrgyzstan
  • Moldova
  • Russia
  • Tajikistan
  • Ukraine
  • Uzbekistan

Palazolo noted that the GitHub account that owns the repository — “NFTSupp” — started working in March 2022. 

The same repository holds 15 additional compressed files which had five distinct RedLine Stealer loaders. 

“All five loaders we analyzed are slightly different, but they all unpack and inject RedLine Stealer in a similar way, as we described earlier in this analysis. The oldest sample we found was likely compiled on March 11, 2022 and the newest one on April 7, 2022,” he said. 

“Furthermore, two out of five files are digitally signed, which may bypass some antivirus engines. The first one seems to be using a signature from ‘NordVPN S.A.’”

In a report released two weeks ago, Bitdefender said that at the start of the year, it noticed a campaign using exploits found in Internet Explorer — specifically CVE-2021-26411 — to deliver the RedLine Stealer. 

Hackers deploying the malware launched thousands of attacks against systems in more than 150 countries and territories in April. 

RedLine allows attackers to gain access to system information like usernames, hardware, browsers installed, and anti-virus software before then exfiltrating passwords, credit cards, crypto wallets and VPN logins to a remote command and control server.

With the RedLine Stealer, hackers have the ability to extract login credentials from web browsers, FTP clients, email apps, instant messaging clients and VPNs before selling them on underground markets.

Bogdan Botezatu, director of threat research at Bitdefender, told The Record that the company identified more than 10,000 attacks involving the RedLine malware in April alone.

Recorded Future’s cybersecurity research arm Insikt Group discovered in October that the vast majority of stolen credentials currently sold on two dark web underground markets were collected using the RedLine Stealer malware.

Recorded Future analyst and product manager Dmitry Smilyanets corroborated Bitdefender’s findings and added that the real number of compromised hosts is much higher.

“Based on the dataset from the past six weeks we can state that Brazil, Indonesia, India, and the US were the primary targets,” Smilyanets said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.