A magnanimous feat of “Operation Magnus” that took down one of the biggest infostealer operations around the globe is perhaps being able to track down the alleged handler of the RedLine infostealer operation.
While the Dutch police took down three servers and its Belgian counterparts seized several communication channels linked to the Redline and Meta infostealers, the U.S. Department of Justice on Monday unsealed charges against perhaps one of the main handlers of the stealers operations.
According to the charges of the Justice Department, Maxim Rudometov, is one of the developers and administrators of RedLine Infostealer. The complaint said that Rudometov regularly accessed and managed the infrastructure of RedLine Infostealer.
Rudometov has several cryptocurrency accounts linked to him and used them to receive and launder payments received from customer of the RedLine infostealer. The stealer malware was sold to customers for a mere $100-$150 rental model popularly known as Malware-as-a-Service.
Rudometov has been charged on multiple counts including access device fraud, conspiracy to commit computer intrusion, and money laundering. If convicted on all counts, Rudometov faces a maximum penalty of 35 years in prison.
About Operation Magnus
The DOJ, in collaboration with the FBI, the Netherlands, Belgium, and Europol, led the effort through the Joint Cybercrime Action Taskforce (JCAT), targeting RedLine and META’s command-and-control networks.
Operation Magnus, as it’s called, resulted in the seizure of crucial assets, including servers, domains, and Telegram accounts used by the infostealers’ operators. By disrupting this network, officials believe they’ve delivered a significant blow to a top malware-as-a-service (MaaS) operation that has preyed on organizations and individuals across the globe.
Also Read: Operation Magnus Takes Down RedLine and Meta Infostealers
Why RedLine and META Stand Out
RedLine and Meta operate through a MaaS model, allowing cybercriminals to license the malware and independently run campaigns to infect victims. Unlike traditional malware, this decentralized approach has made RedLine and Meta highly adaptable and widely distributed.
RedLine and Meta infiltrate systems stealthily, using malware loaders that first install and then deploy the infostealer or additional malicious software. These loaders commonly spread through cracked software, illegal downloads, and fake updates. Phishing emails, malvertising, and unpatched software vulnerabilities also play a role.
Once active, these infostealers check if they’ve recently been on the system by placing unique markers. RedLine, for instance, creates a folder in “%LOCALAPPDATA%MicrosoftWindows” using a Cyrillic “o” in “Windows.” Meta marks its presence with a folder in “%LOCALAPPDATA%SystemCache.” By verifying these markers and their timestamps, the malware determines if re-infection is needed.
Once downloaded, these infostealers hunt for valuable information on the infected system. The goal? Extracting sensitive data such as usernames, passwords, banking details, cryptocurrency accounts, and session cookies that bypass multi-factor authentication (MFA) security protocols.
These “logs” of stolen data are sold on cybercrime forums, giving hackers a lucrative trove to exploit further. Security experts note RedLine’s notoriety due to its ability to infiltrate even the most secure corporate networks, raising alarms across industries.
Tactical Wins and Ongoing Investigation
Law enforcement’s tactics involved targeted seizures of domains and servers, halting RedLine and META’s access to infected devices. By seizing Telegram channels used for customer support and updates, officials disrupted the malware’s operational lifeline and hindered its spread. This seizure marks a high-impact move against threat actors relying on popular platforms to communicate and coordinate.
But despite these successes, investigators acknowledge that this operation only scratches the surface. Officials estimate millions of credentials, credit card numbers, and other sensitive records remain in circulation. “The U.S. does not have all stolen data in its possession, and the investigation continues,” a DOJ representative commented.
While the U.S. seized two domains and the Netherlands along with the same number of domains additionally took down three servers used in the operations, Eurojust, the European crime coordination agency said the authorities had detected almost 1200 servers linked to these stealers’ operations.
For victims or those concerned about potential exposure, authorities have launched an information portal, www.operation-magnus.com, offering details and resources to assist in remediation. Concurrently, security firm ESET, who initially flagged the infostealer operations to the Dutch police, have released a one-time online scanner for potential victims to check for infections.
RedLine and Meta Remain a Persistent Threat
While RedLine and META stand among the most dangerous infostealers, they’re part of a broader trend toward accessible, powerful malware that even novice hackers can deploy. MaaS-based models, where malware licenses are sold as easily as software subscriptions, have created a burgeoning market on dark web forums. Cybersecurity analysts warn this trend democratizes malware distribution, making sophisticated attacks feasible for a much larger pool of cybercriminals.
According to security research, RedLine has rapidly risen to one of the most prevalent malware types worldwide, often taking advantage of themes like COVID-19 alerts or critical system updates to bait victims into downloading the malware. These socially engineered ploys add a layer of believability that catches even seasoned users off guard, underscoring the need for ongoing user awareness and strong corporate defenses.
Related