Meta vs Redline Stealer

Meta Stealer has been around since 2022 and has been used very frequently by TA in the stealers market. Somehow and because of C2 traffic similarities on Redline and Meta builds, this second has been “forget” by malware analysts and hunters, under the Redline name.

Recently, Threat Intelligence Researcher @AnFam17 has made an amazing report on this stealer:
MetaStealer - Redline’s Doppelgänger (
So we finally can start digging into Meta stealer and its detection.

Meta should be considered a malware from the same family as Redline, that actually has nothing to do with the outdated references on MetaStealer (Malware Family) (
and outdated ETPRO MALWARE Win32/MetaStealer Related Activity (GET) sid: 2851362
ETPRO MALWARE Win32/MetaStealer Related Activity (POST) sid: 2851363

Here is some additional Redline (PID 2580) vs Meta (PID 2712) detonations:
Analysis test123.rar (MD5: C6375702EA8D3E9F14A97BE68240EE65) Malicious activity - Interactive analysis ANY.RUN

What are the thoughts on ET community on bringing back detection to Meta Stealer updating the rules from 2022? Or what it seems more reasonable, to add some dual detection on both Redline and Meta samples but anything additional to help identifying Meta builds.

I say this because there’s currently some Meta builds that doesn’t have any rule detection, than a ET INFO Microsoft net.tcp Connection Initialization Activity. For example:
Analysis Malicious activity - Interactive analysis ANY.RUN

1 Like

Thank you for the heads up on this. We will have an additional signature out today specifcally for MetaStealer. I am still going through MetaStealer samples so more sigs may follow. Thank you again for the updates around these malwares!



2049282 - ET MALWARE MetaStealer Activity (Response)

Went out in todays release, we will be going through the redline sigs and updating to indicate metastealer where appropriate as well. Again, thank you for bringing this up!