The cybersecurity landscape continues to evolve, with malicious actors developing increasingly sophisticated threats. Recent reports highlight a new threat known as RedEnergy, a stealer-as-a-ransomware that has caught the attention of cybersecurity experts due to its unique methods and significant impact.

Overview of RedEnergy

Researchers at Zscaler have identified a new strain of malware dubbed RedEnergy that targets major sectors such as energy utilities, oil, gas, telecom, and machinery. Interestingly, the malware has been found to exploit LinkedIn pages of companies in Brazil and the Philippines to initiate its attack.

Capabilities of RedEnergy

The RedEnergy malware has been designed to steal sensitive data from various browsers. It achieves this by incorporating different modules that enable data exfiltration and conduct ransomware activities. The ultimate objective is to inflict maximum damage by combining data theft with encryption.

The Attack Vector

RedEnergy uses a multi-stage attack approach. The initial phase involves a FakeUpdates campaign (also known as SocGholish). This campaign deceives users into downloading JavaScript-based malware disguised as web browser updates. The unique factor about this attack is its use of reputable LinkedIn pages to target victims. The malware redirects users clicking on the website URLs to a counterfeit landing page that prompts them to update their web browsers.

The Malicious Process

Upon clicking the suggested browser update icons (Google Chrome, Microsoft Edge, Mozilla Firefox, or Opera), users inadvertently download a malicious executable. This leads to a successful breach, where the malicious binary sets up persistence, performs the actual browser update, and drops a stealer that covertly harvests sensitive information. The stealer also encrypts the stolen files, leaving the victims vulnerable to potential data loss, exposure, or even the sale of their valuable data.

Data Exfiltration

Zscaler researchers noted suspicious interactions occurring over a File Transfer Protocol (FTP) connection during the attack. This raises the suspicion that the actors behind RedEnergy are exfiltrating valuable data to their infrastructure.

Ransomware Component

In the final stage of the attack, RedEnergy’s ransomware component encrypts the user’s data, appends the “.FACKOFF!” extension to each encrypted file, and deletes existing backups. It then drops a ransom note in each folder. Victims are instructed to pay a ransom of 0.005 BTC (about $151) to a specified cryptocurrency wallet to regain access to their files.

The Evolution of the Threat Landscape

RedEnergy’s dual function as a stealer and ransomware represents a significant evolution in the cybercrime landscape. This development follows the emergence of a new RAT-as-a-ransomware threat category, where remote access trojans such as Venom RAT and Anarchy Panel RAT have been equipped with ransomware modules.

The Importance of Vigilance

Given the sophistication of threats like RedEnergy, individuals and organizations must exercise extreme caution when accessing websites, especially those linked from LinkedIn profiles. Verifying the authenticity of browser updates and being wary of unexpected file downloads is vital to protect against such malicious campaigns.


The emergence of RedEnergy underscores the evolving and increasingly sophisticated nature of cybersecurity threats. As such, understanding these threats and adopting proactive cybersecurity measures is crucial for businesses and individuals alike.

Leave a Reply

Your email address will not be published. Required fields are marked *