RedEngine Strikes: New Multi-Stage Infostealer Fuels BEC Fraud and Ransomware Attacks Worldwide

Aegiron 10 mins0

RedEngine Infostealer (Observed 20 Feb 2026)

RedEngine is a newly observed multi-stage loader combined with an information stealer. In simple terms, it is not just “a virus” that steals passwords. It is built as an entry point into an organization. First, it quietly gets inside a system, then it pulls down additional tools, steals credentials and session data, and finally hands over access to other threat actors who may deploy Business Email Compromise (BEC), lateral movement toolkits, or ransomware.

This makes RedEngine more dangerous than typical commodity stealers. It is designed to be the first domino in a larger attack chain.

What Happened

In campaigns observed in February 2026, organizations across finance, manufacturing, logistics, and professional services reported:

  • Suspicious login activity after employees opened invoice-themed attachments.
  • Email accounts being used to send convincing internal payment requests.
  • Deployment of remote administration frameworks within days of the initial compromise.
  • In several cases, ransomware was deployed 5–10 days after the initial infection.

RedEngine was identified as the common starting point. It acted as the initial access broker — stealing credentials, browser tokens, VPN profiles, and corporate email session cookies. That stolen access was later monetized or used directly in follow-on attacks.

Initial Access Vector

RedEngine campaigns relied heavily on social engineering rather than exploiting zero-day vulnerabilities.

Most Common Entry Methods

  1. Phishing Emails
    • Subject lines referencing invoices, shipping delays, tax documents, or contract revisions.
    • Attachments:
      • Password-protected ZIP files.
      • OneNote documents with embedded scripts.
      • ISO files containing LNK shortcut droppers.
      • Microsoft Office files with malicious macros (less common but still seen).
  2. SEO Poisoning
    • Fake download pages for popular software (PDF tools, CRM plugins, payroll utilities).
    • Trojanized installers delivering RedEngine loader.
  3. Malvertising
    • Sponsored ads redirecting to cloned software portals.

No confirmed exploitation of a public CVE vulnerability was necessary in most campaigns. The infection relied on users executing a malicious file.

Technical Breakdown

RedEngine operates in multiple stages.

Stage 1 – Initial Loader

When the victim opens the attachment:

  • A PowerShell or JavaScript-based dropper executes.
  • It performs basic environment checks:
    • Detects sandbox indicators.
    • Checks system uptime.
    • Looks for virtual machine artifacts.
  • It injects itself into a legitimate process (commonly explorer.exe or mshta.exe).

If the system passes checks, it connects to a command-and-control (C2) server over HTTPS.

Stage 2 – Encrypted Payload Retrieval

The loader downloads an encrypted payload stored as:

  • .dat
  • .png
  • .tmp
  • Or embedded inside HTML comments

The payload is decrypted in memory using:

  • XOR routines
  • AES with hardcoded keys
  • Base64 layered encoding

At this stage, no file may be written to disk (fileless execution observed in several samples).

Stage 3 – Infostealer Module

The stealer component extracts:

Browser Data

  • Saved passwords (Chrome, Edge, Brave, Firefox)
  • Autofill data
  • Session cookies
  • OAuth tokens

Email & Business Tools

  • Outlook credentials
  • Microsoft 365 tokens
  • Exchange Web Access cookies
  • Slack session tokens
  • CRM platform session data

Financial & Crypto

  • Cryptocurrency wallet files
  • Browser-based wallet extensions
  • Stored payment portal sessions

VPN & Remote Access

  • OpenVPN configs
  • AnyDesk, TeamViewer credentials
  • RDP connection history

Collected data is compressed and exfiltrated via:

  • HTTPS POST
  • WebSocket channel
  • Encrypted JSON blobs

Stage 4 – Persistence & Secondary Access

RedEngine may create persistence via:

  • Scheduled tasks
  • Registry Run keys
  • WMI event subscriptions
  • DLL side-loading

In many cases, persistence is intentionally light. The goal is to steal credentials quickly and sell access.

What Was Impacted

Organizations reported:

  • Compromised email accounts leading to BEC attempts.
  • Unauthorized vendor payment change requests.
  • Stolen VPN credentials enabling lateral movement.
  • Deployment of remote tools (Cobalt Strike beacons seen in some environments).
  • Ransomware deployment days after infection.

The financial impact varied:

  • Small firms lost funds via fraudulent wire transfers.
  • Larger enterprises experienced ransomware-related downtime.

Indicators of Compromise (IOCs)

File Indicators

  • Randomly named executables in: %AppData%\Local\Temp\
    %AppData%\Roaming\
  • Suspicious ISO mounts in user profile directories.
  • Scheduled tasks with random 6–8 character names.

Registry Keys

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random>
HKCU\Software\<random>\Update

Process Indicators

  • mshta.exe spawning PowerShell
  • explorer.exe network connections to rare domains
  • wscript.exe executing from Temp directories

Network Indicators

  • HTTPS POST to newly registered domains.
  • C2 traffic with:
    • Unusual user-agent strings mimicking Chrome but malformed.
    • Large Base64 blobs in POST body.
  • Frequent DNS lookups for random subdomains.

Behavioral Indicators

  • Browser credential dumping shortly after user login.
  • Access to Login Data SQLite browser files.
  • Zipping of data into memory before outbound connection.

Anti-Malware Evasion Techniques

RedEngine uses:

  • Process injection.
  • In-memory execution.
  • Encrypted C2 traffic.
  • Anti-sandbox checks.
  • Delayed execution timers.
  • Living-off-the-land binaries (LOLBins).

Some EDR products detect later stages but may miss initial loaders if not behaviorally monitored.

Threat Hunting Guidance

Hunt for Suspicious Parent-Child Process Chains

Look for:

  • mshta.exepowershell.exe
  • wscript.execmd.exe
  • explorer.exe making outbound connections

Hunt for Credential Access Behavior

Monitor:

  • Access to browser SQLite databases: Login Data
    Cookies
    Web Data
  • Unusual file reads of: %LocalAppData%\Google\Chrome\User Data\

Hunt for Data Exfiltration

Detect:

  • Large outbound HTTPS POST from workstations.
  • Rare domains contacted by single endpoints.
  • High entropy outbound traffic.

Scheduled Task Review

Query:

Get-ScheduledTask | Where-Object {$_.TaskName -match '^[a-zA-Z0-9]{6,8}$'}

Detection Rule

title: Suspicious MSHTA Spawning PowerShell
logsource:
  category: process_creation
  product: windowsdetection:
  selection:
    ParentImage|endswith: '\mshta.exe'
    Image|endswith: '\powershell.exe'
  condition: selectionlevel: high

Network Detection Concept (Pseudo Rule)

Alert when:

  • HTTP POST
  • Content-Type: application/json
  • Large base64 encoded payload
  • Domain age < 30 days
  • User agent inconsistent with installed browser version

Recommended Defensive Measures

  1. Disable Office macros where possible.
  2. Block execution from:
    • Temp folders
    • AppData directories
  3. Enforce MFA for:
    • Email
    • VPN
    • Admin accounts
  4. Monitor newly registered domains.
  5. Implement DNS filtering.
  6. Restrict PowerShell execution policies.
  7. Audit OAuth token issuance.

Summary

RedEngine is not just an infostealer — it is an entry broker tool. It gains access quietly, steals everything useful, and prepares the ground for bigger attacks. In many environments, it was the first stage before BEC fraud or ransomware deployment.

The danger is not only what it steals immediately — it is what attackers do with that stolen access days later.

Organizations that treat infostealers as “low-level malware” are at risk. RedEngine demonstrates that credential theft is often just the beginning of a much larger breach.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.