Redline Stealer: A Novel Approach

This report documents a widespread RedLine stealer variant distributed via a trojanized GitHub-hosted MSI (Cheat.Lab.2.7.2.zip) that executes LuaJIT bytecode to perform credential and data theft. The analysis details the infection chain, runtime compilation/execution of Lua bytecode, persistence (scheduled tasks, copying to ProgramData, Windows Setup error handler), HTTP-based C2 that receives tasks and accepts exfiltrated screenshots and system metadata, and supplies IoCs (file hashes, malicious URLs, and a C2 IP) for detection and mitigation.