U.S. Offers $10M Bounty for Information on RedLine Malware Creator

The US State Department has announced a reward of up to $10 million for information leading to the identification or location of Maxim Alexandrovich Rudometov, the alleged developer and administrator of the notorious RedLine infostealer malware.

This action, under the Rewards for Justice program, specifically targets individuals acting under the direction of foreign governments who participate in cyberattacks against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

Technical Anatomy of a Global Infostealer

RedLine, first observed in early 2020, rapidly became one of the most prevalent information-stealing malware families worldwide.

- Advertisement -

Written in .NET, RedLine is distributed through a Malware-as-a-Service (MaaS) model, allowing affiliates to purchase licenses and launch their campaigns.

The malware is sold on underground forums and Telegram channels, often for as little as $100-$150 per license.

Core Technical Features:

• Configuration and C2 Communication:
  RedLine embeds its configuration (including C2 server addresses and botnet IDs) in Base64, with an additional XOR encryption layer. On execution, it decrypts this configuration to establish a connection with its command-and-control (C2) server. If the C2 is unreachable, RedLine halts execution, serving as an anti-sandbox technique. csharp// Pseudocode for decrypting configuration string base64Config = GetEmbeddedConfig(); byte[] xorDecoded = XOR(base64Config, "Reshipment"); string finalConfig = Base64Decode(xorDecoded);
• Host Profiling:
  Leveraging Windows Management Instrumentation (WMI), RedLine collects extensive host data: hardware ID, OS version, installed software, running processes, security products, geolocation, and more. This information guides further malicious actions and helps evade detection. csharp// Query installed AV products ManagementObjectSearcher searcher = new ManagementObjectSearcher("SELECT * FROM AntivirusProduct"); foreach (ManagementObject obj in searcher.Get()) { Console.WriteLine(obj["displayName"]); }
• Data Exfiltration:
  RedLine targets a wide array of sensitive data:
  • Browser credentials, cookies, autofill data, and credit card infoCryptocurrency wallet keys (e.g., Armory, Exodus, Ethereum)VPN credentials (NordVPN, ProtonVPN, OpenVPN)Gaming (Steam), messaging (Discord, Telegram), and FTP (FileZilla) credentialsArbitrary files from directories like Program Files and Windows
  The malware can also take live screenshots using .NET’s CopyFromScreen function, further expanding its surveillance capabilities.
• Remote Execution and Persistence:
  Beyond stealing data, RedLine can download and execute additional payloads, open URLs, and run remote commands via cmd.exe, effectively acting as a remote access trojan (RAT).
• Anti-Analysis Measures:
  RedLine checks the system language and geolocation, often avoiding execution in countries of the former Soviet Union. It also employs encoded strings (Windows-1251) and anti-sandbox logic to evade detection.

Global Impact and Law Enforcement Response

RedLine has been linked to the theft of billions of credentials and cookies, with its logs frequently sold on the dark web and Telegram marketplaces.

The malware was instrumental in several high-profile breaches, including attacks on cloud database providers and critical infrastructure targets.

In October 2024, Operation Magnus—a joint action involving US, Dutch, Belgian, UK, Portuguese, and Australian authorities—disrupted RedLine’s infrastructure, seizing servers, web domains, and Telegram channels used for sales and support.

Two affiliates were arrested in Belgium, while investigators gained access to RedLine’s source code and licensing systems.

However, Rudometov, who fled Ukraine for Krasnodar, Russia, in 2022, remains at large.

The US government urges anyone with information on Rudometov, his associates, or state-sponsored use of RedLine to submit tips via a Tor-based reporting channel.

The $10 million reward underscores the severity of the threat posed by RedLine and the global effort to dismantle its operations.

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here