Short answer

RedLine was the most widely used infostealer until 2024, when it was partially disrupted by Operation Magnus, a coordinated law enforcement effort. Despite the takedown, RedLine remains in active circulation and continues to generate logs on criminal marketplaces.

History and Operation Magnus

RedLine emerged around 2020 and quickly became the dominant infostealer due to its ease of use and affordable MaaS pricing. In 2024, Operation Magnus, a joint effort by international law enforcement agencies, took down several of RedLine's infrastructure servers. This disrupted but did not eliminate the threat: the malware's source code had already been widely distributed, and modified versions continue to circulate.

What RedLine steals

RedLine targets browser credentials, cookies, autofill data, cryptocurrency wallets, VPN credentials, and FTP clients. It also collects system information and can capture screenshots. RedLine logs are among the most commonly found on criminal marketplaces.

Current status

While Lumma has overtaken RedLine in new deployments, RedLine remains one of the most commonly encountered stealers in existing marketplace listings. Organizations should continue to monitor for RedLine infections alongside newer variants.

How Passguard detects RedLine

Passguard monitors the criminal marketplaces and Telegram channels where RedLine logs are traded. When infected devices containing access to your organization's systems are listed for sale, Passguard alerts your security team with the details needed to act: device information, malware type, compromised sessions, and infection timeline.