Usage of Lua Bytecode By A Novel Redline Stealer Version To Ensure Confidentiality

Redline Stealer is a potent information-stealing virus. This virus is frequently used by hackers. They prefer to use it to get illegal access to a victim's sensitive data.

Threat actors take advantage of the Redline Stealer. It allows threat actors to take a large amount of sensitive and valuable data.

Threat actors may utilize the stolen information later for monetary gain or other harmful objectives.

McAfee cybersecurity experts have identified a new variation of the Redline stealer. The interesting thing about Redline Stealer is that it uses the Lua Bytecode to remain stealthy.

Redline Stealer Variant

Telemetry data from McAfee shows that this virus is widely distributed throughout continents. These continents are - North and South America, Europe, Asia, and Australia.

The McAfee Web Advisor has banned the malware file "" This malware was located in Microsoft's official GitHub vcpkg repository.

The zip package contains an MSI installation, modified Lua binaries, and a supposed text file for translation and operation.

This approach improves invisibility and evasion capabilities. For this, it has to mask harmful character strings and prevent immediately recognized scripts. These scripts are namely - such wscript or PowerShell.

The availability of scheduled activities and fallback mechanisms allows the malware to survive. As a result, LolBins in the system32 subdirectory get hacked during performance. The greatest part is that the constructed process tree exploited it.

ErrorHandler is launched when the system starts. Cmd.exe can be run to execute cmd script. Later on, it also calls NzUw.exe, an IP API-checking software.

The disk at inetCache holds JSON objects as packets transmitted from to connect with C2.

For example, an HTTP exchange server transmits task ID OTMsOTYs for screen capture activities.

Screen.bmp, a base64-encoded file. It is sent by the threat actor's server. Besides, it has been discovered as part of the Redline family and tagged as dangerous by various antivirus engines.

Compiling this Lua script will also display certain encrypted values. Along with this, a decryption loop and decrypted strings such as "Tamper Detected" will also appear to you.

To isolate Lua instances, a new state is constructed before downloading the luajit bytecode.

In addition, the debug, io, math, and FFI libraries are downloaded. Furthermore,  their byte code is read utilizing luaL_loadfile, which transfers it to random locations.

The script begins by defining variables. After that, it moves ahead to access Windows API methods by using FFI to generate mutexes. Apart from this, it also allows you to load the dlls during runtime, and retrieve system data for submission to the C2 server.


  • 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
  • https[:]//github[.]com/microsoft/vcpkg/files/14125503/
  • lua51.dll: 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997
  • readme.txt: 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad
  • compiler.exe: dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a
  • Redline C2: 213[.]248[.]43[.]58
  • Trojanised Git Repo: hxxps://