Tracking Redline developer: Maxim Rudometov

Two days ago, The Department Of Justice announced an international disruption effort against the current version of RedLine Infostealer. It's #OSINT time!

In the redacted complaint, Maxim Rudometov is identified as one of the developers of RedLine. Using Predicta Graph and #OSINT techniques, I’ve retraced each step taken by the @FBI. For full details, check out the complete graph!

On March 4, 2020, a blogger named Foxovsky published a post on RedLine and its creators. In his post, he mentioned two usernames connected to the stealer: Dendimirror and Alinchok

Foxovsky's first blog post about the Dendimirror stealer dates back to 2018: https://web.archive.org/web/20180819120557/https://foxovsky.ru/all/analiz-raboty-stillera-ot-dendimirror-alinchok/.

He also leaked the decompiled source code of the stealer on github: https://github.com/mem3nt0/Dendimirror_Stealer

The Dendimirror alias is clearly tied to a stealer, making it worth investigating to identify who’s behind it. Searching this alias in data leaks led me to a Yandex email address: [email protected]

Using Predicta Search API, I found two linked accounts:

• A LinkedIn profile under the name Максим Рудометов: https://www.dhirubhai.net/in/%D0%BC%D0%B0%D0%BA%D1%81%D0%B8%D0%BC-%D1%80%D1%83%D0%B4%D0%BE%D0%BC%D0%B5%D1%82%D0%BE%D0%B2-824467161/
• A GitHub account with the username GHackiHG: https://github.com/GHackiHG

Searching the username GHackiHG in data leaks revealed:

• A phone number: +380667138024
• An email address: [email protected]

Using the Predicta Search API, I found this account: https://ask.fm/navi_ghacking. This introduces a new username: navi_ghacking!

Searching for this username on VK revealed that Maxim used it to promote his developer services: https://vk.com/wall-98119902. It also gave us a VK profile: https://vk.com/navi_ghacking

Clicking on the deleted post led to another VK account with the ID id170399893. Using https://vk.watch, numerous snapshots of this VK profile are accessible for further investigation.

We have photos of Maxim!

Using Search4Faces, I discovered an additional VK profile linked to Maxim https://vk.com/id377254012

Did you notice the bloodzz.fenix Skype account is both listed on Maxim's VK profile? He mentioned it too in posts on certain hacker forums

That concludes the OSINT phase of our investigation. We traced the Dendimirror alias back to Maxim, who is clearly connected to malicious activity and stealer development. However, the question remains: is he definitively the developer of RedLine, as Foxovsky claimed?

Being an @FBI agent made the difference, they accessed server logs from providers like Binance, GitHub, Apple, and Skype. By analyzing Maxim’s connection patterns, they confirmed his role in RedLine's development and operation.

That’s a wrap! For the complete breakdown, check out the full graph with all the details: https://www.predictagraph.com/graph/snapshot/65e1a4f2-6a26-434f-b712-d68ad7122f6d

PS1: The VK group we found previously has been created by Maxim. In the group info we can find:

• 2 projects: VkApiChecker and VkGroupParser
• 1 website: https://best-shop-items.blogspot.com
• His name: Maksim Roudomiotov

PS2: On GitHub, in the repository named "LicenseManager" there's a file titled Wolk.exe. This file has been uploaded to VirusTotal, where it's shown to connect to the domain https://sofatel4.ru

In 2019, another file named myfile.exe, which also connects to the domain, was uploaded to VirusTotal

This analysis reveals two additional pieces of information: the IP address 93.189.41.63 and the domain https://gdlvw1.com