Pirated Business Software Activator Spreads RedLine Stealer

Description

A malicious campaign targeting users of unlicensed corporate business automation software has been discovered. The attackers are distributing malicious activators on accounting forums that contain the RedLine stealer hidden in an unusual way. The activator library is obfuscated using .NET Reactor, with the malicious code compressed and encrypted in multiple layers. The campaign began in January 2024 and continues to threaten users of unlicensed software. The attackers aim at entrepreneurs using current versions of a business process automation platform, spreading their solution disguised as a new version of the HPDxLIB activator. The malicious version differs from the 'clean' one primarily by using .NET and having a new self-signed certificate.