RedLine Stealer Unleashed: Inno Setup Installers Abused for Stealthy Data Theft & Cryptowallet Draining

In a recent technical deep dive, the Splunk Threat Research Team (STRT) dissected a multi-stage malware campaign that weaponizes legitimate Inno Setup installers to stealthily deploy RedLine Stealer, one of today’s most widespread and adaptable information-stealing threats.

“Software installer packages are a cornerstone of user-friendly software distribution… But what happens when this convenience is turned against us?” asks STRT at the start of their analysis.

Attackers are using Inno Setup’s Pascal scripting engine to disguise malware as trusted software installers. These malicious packages bundle renamed components such as:

• idp.dll: a legitimate Inno download plugin
• idp.exe: a renamed version of 7-Zip (7za.exe)
• ImageConverter.exe: a decoy to feign legitimacy

The true threat, however, resides in obfuscated Pascal code that:

• Uses XOR encryption to hide payload URLs and commands
• Performs sandbox and debugger evasion via WMI and process queries
• Checks system and user attributes to avoid automated analysis

“The malicious Pascal script uses simple XOR encryption to obfuscate key strings and commands… If any [analysis tools] are found, the script immediately terminates the installer to avoid detection,” the analysis explains.

The loader retrieves a secondary payload from a TinyURL-obfuscated link, which eventually leads to a password-protected ZIP hosted at: hxxp[:]//aptechludhiana[.]com/temp/package[.]zip.

Inside is a multi-layered chain:

• A shellcode loader hidden in periphyton.ics
• A trojanized DLL (QtGuid4.dll) to decrypt the shellcode
• The HijackLoader malware, which loads encrypted modules stored in glucoprotein.php

“HijackLoader is a modular malware loader… used in delivering various malicious payloads such as Amadey, Lumma Stealer, Racoon Stealer v2, Redline Stealer and Remcos RAT,” the analysis notes.

Once the shellcode loader unpacks the HijackLoader from the pseudo-PNG glucoprotein.php, RedLine Stealer is decrypted and injected into MSBuild.exe to ensure stealth.

This RedLine variant:

• Uses “constant unfolding” obfuscation for configuration
• Leverages WMI to gather system info
• Evades detection via browser flags like –no-sandbox
• Exfiltrates browser credentials, crypto wallet data, cookies, and history

“RedLine Stealer focuses on retrieving saved login credentials from the browser’s encrypted Login Data database… and targets cryptocurrency extensions like MetaMask, Binance Chain Wallet, and TRONLink Wallet.”

The malicious installer also creates a scheduled task using schtasks.exe and drops a renamed executable (taskshostw.exe) in a hidden directory: %localappdata%\Programs\Common. This ensures the malware persists on reboot and potentially escalates privileges.

Related Posts:

• Redline Stealer Malware Evolves with Sneaky New Tricks, Spreads Globally
• HijackLoader Evolves: New Modules Bring Stealth, Persistence, and Advanced VM Evasion
• RedLine malware pretends to be a Windows 11 upgrade installers
• New Malware Duo HijackLoader & DeerStealer Surge: Bypassing Defenses for Data Theft
• RedLine Stealer Analysis: Inside a Notorious Malware-as-a-Service Operation

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy