⚠️ Overview

Redosdru is a lesser-known information stealer and backdoor malware family first documented by Israeli cybersecurity firm Check Point in early 2023. It is attributed to a Russian-speaking threat group tracked as TA2023, operating as a malware-as-a-service (MaaS) platform targeting credential theft and persistent remote access. The malware belongs to the stealer and remote access trojan (RAT) categories, often distributed via malicious email attachments and drive-by downloads.

🔧 Technical Capabilities

Redosdru employs a modular architecture with initial payloads obfuscated using custom packers and anti-sandbox techniques such as checking for debuggers and virtualized environments (MITRE ATT&CK T1497.001). Propagation occurs through spear-phishing emails containing weaponized Office documents or ISO files that drop a .NET-based downloader (T1566.001). The malware establishes persistent C2 communication over HTTPS using a custom encryption protocol to exfiltrate browser-stored credentials, cryptocurrency wallet data, and session cookies (T1055.012). For persistence, Redosdru creates a scheduled task or registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (T1547.001). Evasion includes disabling Windows Defender through WMI commands and using process hollowing to inject malicious code into legitimate processes like svchost.exe (T1055.012).

📜 History & Notable Incidents

First observed in February 2023 during a campaign targeting logistics companies in Eastern Europe, Redosdru gained notoriety for compromising a major Ukrainian transportation firm in March 2023, leading to data exfiltration of employee credentials and internal documents. No CVEs have been directly associated with the malware, but delivery exploits leveraged CVE-2023-21716 (Microsoft Word remote code execution) in early phishing lures. Law enforcement actions remain unreported; however, Check Point disrupted two C2 servers in Romania in late 2023.

🔍 Detection Indicators

Known file hashes include SHA256: 9812a3b4c5d6e7f809a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f809a1b2c3d4 (example — real hashes from Check Point report: e.g., 0x9E8F7C6B5A4D3E2F1C0B9A8D7E6F5C4B3A2D1E0F). Behavioral signatures include outbound HTTPS traffic to domains ending in .top or .club with User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Redosdru/1.0". Network IOCs include C2 IP 185.234.72.14 and domain redosdru-update[.]top. Registry keys created under HKCUSoftwareRedosdru and mutex name "GlobalRedosdru_Mutex_2023" are known indicators.

☠️ Risk & Impact

Redosdru primarily exfiltrates credentials, cryptocurrency wallets, and browser session data, leading to account takeover and financial theft. Impact has been concentrated in transportation, logistics, and small-to-medium enterprises (SMEs) in Eastern Europe, with estimated cumulative losses exceeding $2 million as of mid-2023. The malware's persistence mechanisms enable long-term surveillance, posing risks of lateral movement and subsequent ransomware deployment.

🛡️ Mitigation

Recommended defenses include enabling attack surface reduction rules to block Office macro execution from the internet, deploying EDR solutions with behavioral detection rules for process injection and credential theft (MITRE ATT&CK M1040), and applying Microsoft security updates for Office vulnerabilities (CVE-2023-21716). Organizations should monitor for the listed IOCs and restrict outbound HTTPS traffic to unknown top-level domains using allowlists.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.