META
META is an information-stealing malware family, also described as deriving from or being marketed as an improved version of RedLine. Reporting in the provided content describes META as a newer infostealer that gained popularity among cybercriminals, including availability on the TwoEasy botnet marketplace for $125 per month or $1,000 lifetime access. It steals passwords from Google Chrome, Microsoft Edge, and Mozilla Firefox, as well as cryptocurrency wallet data. The content also places META among infostealers capable of bypassing App-Bound Encryption.
A documented delivery chain used malspam with macro-enabled Excel attachments themed around bogus fund transfers and DocuSign lures. When a victim enabled content, a malicious VBS macro executed in the background, downloaded multiple DLL and EXE payloads from sites including GitHub, used Base64 encoding and reversed-byte payloads for evasion, and assembled a final executable named "qwveqwveqw.exe." META established persistence via a new Windows Registry key and continued C2 communications after reboot. It also used PowerShell to weaken defenses by modifying Windows Defender exclusions so .exe files would not be scanned.
The provided content identifies command-and-control traffic to 193.106.191[.]162 and notes that Brad Duncan published a PCAP of the infection traffic. META was also named in international law-enforcement disruption activity: in October 2024, Operation Magnus seized domains, servers, and Telegram accounts associated with RedLine and META, with reporting stating authorities gained complete access to the servers behind both infostealers. Multiple references in the content describe META as one of the infostealers disrupted during that operation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
One thing to note is that META modifies Windows Defender via PowerShell to exclude .exe files from scanning, to protect its files from detection.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
Defense Impairment
1 technique
Defense Impairment
Credential Access
4 techniques
Credential Access
“When executed, RedLine would steal data, including access devices, from victims’ computers.” Infostealers thieve billions of user credentials such as passwords annually.
provided criminals access to “bots” or “browser fingerprints” ... including IP addresses, session cookies, operating system information, and plugins
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
1 technique
Exfiltration
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An infostealer malware family derived from RedLine, mentioned as a target of Operation Magnus.
Information-stealing malware mentioned as part of prior law-enforcement disruption context (Operation Magnus).
An infostealer mentioned alongside RedLine as disrupted during Operation Magnus.
META is referenced as a known infostealer affected by law-enforcement disruption activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.