Identity, Network Security, Malware

RedLine malware top credential stealer of last 6 months

RedLine malware top credential stealer of last 6 months

RedLine malware was used to steal more than 170 million passwords over the last six months, which makes it the most notorious credential stealer during that time, according to research published March 12.

RedLine was used in half of all cyber incidents involving stolen passwords (47%) and led the next closest stealer (Vidar) by over two-fold. Vidar, according to the report, was used to pilfer more than 65 million passwords, or 17%. Coming in at the No. 3 is the malware Raccoon Stealer tied to over 42 million stolen passwords, or 11.7%. Malware strains Meta, Cryptbot, Risepro, Stealc, Azorult, Aurora and Darkcrystal rounded out the top 10 credential stealers. 

The data was culled from known breached passwords lists by KrakenLabs and password management firm Specops, both owned by parent company Outpost24. 


Over the last six months, KrakenLabs analyzed 359 million stolen passwords to find out the most common malware used to steal credentials, while Specops said their database of breached and compromised passwords contains more than 4 billion unique passwords.

Uncovered in March 2020, the RedLine malware is used to export personal information such as credentials, cryptocurrency wallets and financial data to its command-and-control infrastructure. Its payload can also deliver cryptocurrency miner software on the victim’s machine. Specops reported that phishing campaigns were most often used to distribute the leading stealer malware, as well as compromised Google or YouTube accounts.

Vidar is an evolved version of the Arkei Stealer, according to Specops, and is distributed in phishing campaigns as Microsoft Compiled HTML Help (CHM) files. Vidar has also been distributed by the PPI malware service PrivateLoader, the Fallout Exploit Kit and the Colibri loader, as well as the GHOSTPULSE malware loader.

Raccoon Stealer is a malware-as-a-service that allows cybercriminals to rent the stealer on a monthly basis.

As noted by Specops, stolen credentials can be used to carry out further attacks, but more often they're sold on the dark web for other attackers to use the credentials to gain access to networks. 

The FBI reported that its Internet Crime Complaint Center received a record 880,418 complaints in 2023, an increase of nearly 10% from the year before, and includes crimes such as investment fraud and business email compromise scams, as well as ransomware and cryptocurrency scams.

Similarly, the Identity Theft Resource Center reported in January that the number of events where data was compromised increased a record 78% in 2203 over the previous year, although the number of victims decreased by 16%.

Darren James, senior product manager for Specops, said it was interesting that the RedLine malware was responsible for nearly half of the stolen passwords the company analyzed, adding that its report also highlights how many passwords are for sale on the dark web. 

James cautioned users not to reuse passwords, adding that it was vital for security professionals to continuously scan Active Directory for breached or compromised passwords.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.