Home / Threat Intelligence bulletins / Malicious AI tool ads used to deliver Redline Stealer

Target Industry

As payloads are delivered from a trojan contained within malicious Google adverts, targeting is indiscriminate and opportunistic.


Malicious artificial intelligence (AI) tool advertisements have emerged as a highly effective method for threat actors to distribute the Redline Stealer malware. These malicious advertisements apply social engineering techniques to trick unsuspecting users into clicking and downloading the malicious file. The primary objective of these advertisements is to deliver the Redline Stealer malware to the victim’s system. This enables the theft of sensitive information and compromises the security of the individual or organisation.

Originally discovered in March 2020, Redline Stealer can gather login information from online browsers, cryptocurrency wallets, and applications using the Redline Stealer info stealer variants customised file grabber.


Data Theft: Once Redline Stealer infiltrates a system, it gathers confidential data including login data, financial information, and personal details. This stolen information can be sold on the dark web, used for financial crime, corporate espionage, or identity theft.

System Compromise: Due to its modular design, Redline Stealer can download and execute additional malware variants which compromises the infected system. This may lead to botnet creation, ransomware attacks, or unauthorised access.

Affected Products

  • Various operating systems (Windows, macOS and Linux)
  • Web browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari)
  • Email clients (Microsoft Outlook and Mozilla Thunderbird)
  • Database systems (MySQL, Microsoft SQL Server, or Oracle Database)
  • Office suites
  • Financial software
  • Gaming platforms
  • Cloud services

Containment, Mitigations & Remediations

It is recommended that upon the detection of compromised credentials, customers act in a prompt manner and issue password changes to affected users. If password changes cannot be implemented or the account is no longer in active use, it is recommended that the account is added to the ‘deny list’ so that it cannot be targeted in further attack campaigns. Moreover, the enforcement of multi-factor authentication (MFA) is strongly recommended, as this can prevent adverse system access, even when credentials have been compromised.

Threat intelligence has also detected a lack of strong password security and the use of basic, easy-to-crack passwords by several industry sector employees, an example being that of ‘password1’. It is strongly recommended that customers follow the National Cyber Security Centre (NCSC) guidance of having passwords composed of three unrelated words and the incorporation of uppercase, lowercase, and symbol characters.

The following list contains a summary of the recommended mitigation steps to adhere to as a defence strategy against exploitation by Redline Stealer:

  • Use strict password management and least privilege access policies
  • Implement multi-factor authentication
  • Rotate all user passwords on a frequent basis (e.g. every 90 days)
  • Ensure that employees are trained to identify and report malicious content
  • Use application whitelisting to prevent the download of malicious content
  • Ensure that anti-virus signatures are up to date
  • Identify which systems, applications, and data lakes are mission-critical to your business and day-to-day operations
  • Implement frequent backups of crucial files and isolate them from local and open networks Maintain offline backup copies of data stored in locations inaccessible from infected systems
  • Promptly patch software and applications and maintain awareness with regards to vulnerability advisories
  • Implement and practice a digital disaster recovery plan.

Indicators of Compromise

The following list of Indicators of Compromise (IoCs) relates to the distribution of the malware via malicious AI advertisement.

Redline Stealer associated file hashes (SHA256):







Redline Stealer associated URLs:














Threat Landscape

Typical motives for the implementation of information stealer malware, such as Redline, include the generation of financial income for the associated cyber threat actors. It is common for such malware variants to operate in the background of a target system to avoid detection.

In recent years, information stealing malware have become prevalent infection vectors. More specifically, Redline is a ‘Commodity’ information stealer and, as such, data harvested by these malware variants are often sold within the illicit marketplace, whereby threat actors have the opportunity to purchase them. The acquisition of the credentials by threat actors will ultimately lead to further targeting, inevitably resulting in the implementation of additional attack vectors, such as ransomware.

Threat Group

A diverse range of cyber threat actors have adopted the use of the Redline Stealer malware. It has been detected to have been marketed and sold on several online criminal forums by a Russian-speaking cybercriminal by the name of “REDGlade”, also known as, “Glade”.

Mitre Methodologies


T1053 – Scheduled Task/Job3

T1053.005 – Scheduled Task4

T1059 – Command and Scripting Interpreter5

T1059.001 – PowerShell6

T1106 – Native API7

T1129 – Shared Modules8


T1031 – Modify Existing Service9

T1053 – Scheduled Task/Job10

T1053.005 – Scheduled Task11

T1060 – Registry Run Keys / Startup Folder12

Privilege Escalation

T1031 – Modify Existing Service13

T1053 – Scheduled Task/Job14

T1053.005 – Scheduled Task15

T1060 – Registry Run Keys / Startup Folder16

Defence Evasion

T1070 – Indicator Removal17

T1089 – Disabling Security Tools18

T1112 – Modify Registry19

Credential Access

T1081 – Credentials in Files20


T1012 – Query Registry21

T1057 – Process Discovery22

T1082 – System Information Discovery23

T1005 – Data from Local System24

Command and Control

T1071 – Application Layer Protocol25

T1071.001 – Web Protocols26

Further Information

Malicious AI Tool Ads Used to Deliver Redline Stealer (trendmicro.com)

CyberGate, RedLine Part of AutoIt Malware Campaign| Zscaler

Intelligence Terminology Yardstick