ESET cybersecurity analysts have recently provided an in-depth analysis of the RedLine Stealer and its clone, Meta, following a major law enforcement operation. The operation, called Operation Magnus, was led by the Dutch National Police and involved international collaboration with agencies such as the FBI and the UK’s National Crime Agency.
Its goal was to disrupt the criminal infrastructure behind these two notorious malware strains. ESET played a key role in this effort, first alerting authorities about the malware’s infrastructure hosted in the Netherlands and contributing to earlier actions targeting the gang’s use of GitHub repositories.
The investigation revealed that RedLine and Meta were created by the same individual, Maxim Rudometov, who has been charged in the United States. ESET’s researchers conducted an extensive review of the malware’s source code and backend infrastructure, identifying over 1,000 unique IP addresses used to control the operation.
These IP addresses spanned across the globe, with concentrations in countries like Germany, Russia, and the Netherlands. The backend servers were similarly dispersed, with a significant portion located in Russia, the Czech Republic, and the UK.
At its core, RedLine Stealer was a form of “malware as a service” (MaaS), offering criminals a turnkey solution for stealing sensitive data. Its clients could access the malware through online forums or Telegram channels, purchasing either a monthly subscription or a lifetime license.
The malware enabled its users to harvest information such as cryptocurrency wallet details, credit card data, and login credentials for services like VPNs, Discord, Telegram, and Steam. The ease of use and customizability made it a popular tool for affiliates, who could integrate it into larger, more complex cybercriminal operations.
One of the main tactics employed by the RedLine operators was to disguise the malware as legitimate software. For example, it was distributed under the guise of free ChatGPT downloads in 2023 and as video game cheats in the first half of 2024.
This broad distribution strategy contributed to RedLine’s widespread use, making it one of the most notorious and commonly used infostealers at its peak. Despite the large number of affiliates using the malware, ESET’s analysis suggested that the operation was likely run by a small core group of individuals, with Maxim Rudometov at the helm.
Ultimately, Operation Magnus was a significant success in the battle against cybercrime, leading to the dismantling of the RedLine and Meta malware infrastructure. ESET’s contributions were critical in identifying key elements of the operation, including the IP addresses and servers used to control the malware.
The takedown not only disrupted a large-scale cybercriminal operation but also resulted in charges against Maxim Rudometov, marking an important step in holding cybercriminals accountable and preventing further harm from these malicious tools.