highStealer

RedLine Stealer in the Tax Office: How a Colombian Supply Chain Compromise Weaponized Trusted Tax Software

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

stealercredential-theftc2supply-chainapt

TL;DR: A trojanized version of ETDigital, a Colombian tax application developed by CETA (Centro de Estudios Tributarios de Antioquia), was identified distributing RedLine Stealer through a supply chain compromise. The malware is signed with CETA's legitimate Sectigo code signing certificate and communicates with CETA's own production infrastructure at services[.]ceta[.]org[.]co over SOAP/WCF, making network-level detection exceptionally difficult. Breakglass Intelligence fully decrypted the three-layer encryption scheme -- a custom 256x256 S-box substitution cipher with 32-byte key followed by zlib compression -- using Unicorn Engine emulation, extracting the .NET stealer payload. The campaign targets Colombian tax professionals and accountants, with the trojanized package downloaded 83 times from MalwareBazaar since its first observation on December 5, 2025.

Key Findings

Supply chain attacks represent one of the most insidious threat vectors in cybersecurity because they weaponize the trust relationship between software vendors and their users. This investigation documents a textbook case: a legitimate tax software package from a trusted Colombian institution was trojanized with a commodity stealer, signed with the organization's own certificate, and configured to communicate through the organization's own servers.

Supply Chain Compromise of a Tax Institution

CETA (Centro de Estudios Tributarios de Antioquia) is a Colombian tax education and professional development organization based in Medellin, Antioquia. Their ETDigital product -- the "Estatuto Tributario Digital con DUT integrado con NCIF" -- is a tax code reference application used by Colombian accountants, tax advisors, and lawyers.

The trojanized version retains all of the legitimate application's metadata:

Product Name: Estatuto Tributario Digital con DUT integrado con NCIF
Company: ASOCIACION CENTRO DE ESTUDIOS TRIBUTARIOS DE ANTIOQUIA
Internal Name: ETDigital.exe
Version: 8.1.2.0

This means the malware presents itself identically to the legitimate software in Windows properties dialogs, task manager, and security product inspections.

Legitimate Code Signing Certificate

The trojanized binary is signed with a Sectigo code signing certificate issued to CETA:

Subject: ASOCIACION CENTRO DE ESTUDIOS TRIBUTARIOS DE ANTIOQUIA
Issuer: Sectigo
Contact: tic@ceta[.]org[.]co
Location: Antioquia, Colombia
Validity: 2023-05-18 to 2026-05-17

As of the investigation date (March 10, 2026), this certificate is still within its validity period. This means the trojanized binary passes signature verification on any system that trusts the Sectigo certificate chain, which includes virtually all Windows installations.

C2 on Legitimate Infrastructure

Perhaps the most concerning aspect of this compromise is the C2 channel. The malware communicates with services[.]ceta[.]org[.]co at IP 179[.]1[.]94[.]205 using SOAP/WCF (Windows Communication Foundation) over HTTPS. This is CETA's actual production API server running IIS 10.0 with ASP.NET 4.0.30319.

From a network monitoring perspective, this traffic is indistinguishable from legitimate ETDigital application usage:

The destination domain belongs to the legitimate organization.
The IP address hosts the organization's actual services.
The protocol (SOAP/WCF over HTTPS) matches the legitimate application's communication pattern.
The TLS certificate is a valid wildcard cert (*.ceta.org.co) issued by Sectigo.

Traditional network-based detection approaches -- domain blocklists, IP reputation, protocol anomaly detection -- are ineffective against this C2 channel. The only reliable detection vector is endpoint-level behavioral analysis of what the application does after it communicates with the server.

Three-Layer Encryption Scheme

The payload is protected by a custom encryption scheme that was fully decrypted during this investigation:

Layer 1: 7z Archive -- Standard 7-Zip compression with no password. This is the distribution packaging.

Layer 2: Custom S-box Cipher -- The native PE32 loader contains a custom 256x256 byte substitution table initialized from a 32-byte key. The key is stored in PE resource RCData "~" (32 bytes), while the encrypted payload occupies PE resource RCData "__" (1,031,218 bytes).

The S-box initialization function at fcn.00401300 builds the substitution table at runtime using the key:

Key (hex): b5cc0ae288464f2fe9abb8979cd548351a4a6e4783666ca6b2cd7808a69401ad

Decryption processes data in 1024-byte chunks with a forward substitution pass, XOR with a state byte XORed against 0x55, and a backward substitution pass.

Layer 3: Zlib Compression -- The first 4 bytes of decrypted data contain the decompressed size as a uint32 little-endian value. The remaining bytes are standard zlib compressed data (0x78 0x9C header). Decompressed output is 1,626,126 bytes, starting with the .NET runtime version string "v4.0.30319" followed by the .NET DLL PE payload.

The decryption was accomplished using Unicorn Engine emulation of the native loader's S-box initialization and chunk-by-chunk decryption functions, followed by Python zlib decompression.

Attack Chain

The attack progresses from supply chain compromise through data theft in eight stages:

[1] Supply Chain Compromise
    |-- CETA's build pipeline or update distribution infrastructure compromised
    |-- Trojanized ETDigital.exe built and signed with CETA's Sectigo certificate
    |
    v
[2] Distribution
    |-- Likely delivered via updateportal[.]ceta[.]org[.]co
    |-- Packaged as 7z archive for download
    |-- Also appeared on MalwareBazaar (83 downloads)
    |
    v
[3] Execution
    |-- User runs ETDigital.exe (appears legitimate, code-signed)
    |-- Windows does not display SmartScreen warning due to valid signature
    |
    v
[4] Payload Decryption (Native Loader)
    |-- Reads 32-byte key from PE resource RCData "~"
    |-- Reads encrypted payload from PE resource RCData "__" (1 MB)
    |-- Initializes 256x256 S-box substitution table from key
    |-- Decrypts in 1024-byte chunks (forward sub, XOR, backward sub)
    |
    v
[5] Decompression
    |-- Reads uint32 LE decompressed size from first 4 bytes
    |-- Zlib decompresses remaining data
    |-- Extracts 1.6 MB .NET DLL payload
    |
    v
[6] .NET Payload Load
    |-- Native loader calls LoadLibraryA("mscoree.dll")
    |-- Initializes CLR (Common Language Runtime) in-process
    |-- Loads .NET DLL via _CorDllMain entry point
    |-- Runtime: v4.0.30319 (loader) / v2.0.50727 (BSJB metadata)
    |
    v
[7] C2 Communication
    |-- SOAP/WCF protocol via SoapHttpClientProtocol
    |-- Target: hxxps://services[.]ceta[.]org[.]co/
    |-- TLS to legitimate Sectigo wildcard cert (*.ceta.org.co)
    |-- Indistinguishable from legitimate ETDigital traffic
    |
    v
[8] Data Theft (RedLine Stealer)
    |-- Browser credential extraction
    |-- Cryptocurrency wallet harvesting
    |-- System information gathering (WMI ManagementObjectSearcher)
    |-- Cookie and autofill data
    |-- RC4 token generation for authentication

Why the Supply Chain Vector Matters

Colombian tax professionals who use ETDigital have a trust relationship with CETA. They download software updates from CETA's website, they expect signed binaries from CETA's certificate, and they expect the application to communicate with CETA's servers. Every defensive signal points toward "legitimate" -- the signature is valid, the network destination is correct, the application name and version info match. This is what makes supply chain attacks devastating: the attacker does not need to build their own trust infrastructure, they hijack existing trust.

Infrastructure Analysis

C2 Server

IP	ASN	Provider	Location	Port	Services	Status
`179[.]1[.]94[.]205`	AS262186	InterNexa S.A. E.S.P	Medellin, Colombia	10443	FortiOS (HTTPS)	LIVE

The server at 179[.]1[.]94[.]205 is CETA's production infrastructure hosted by InterNexa, a major Colombian ISP. The FortiOS service on port 10443 indicates the organization uses a Fortinet firewall/gateway. The server runs IIS 10.0 with ASP.NET 4.0.30319 for the CETA web services.

Domain Infrastructure

Domain	Purpose	Status
`ceta[.]org[.]co`	Main organizational domain	LIVE (Cloudflare DNS)
`services[.]ceta[.]org[.]co`	C2 / API endpoint	LIVE (IIS 10.0)
`mainapiceta[.]ceta[.]org[.]co`	API endpoint	Active (Let's Encrypt cert, 2026-03-06)
`mcpcetapp[.]ceta[.]org[.]co`	Application endpoint	Active (Let's Encrypt cert, 2026-03-05)
`updateportal[.]ceta[.]org[.]co`	Update delivery (likely initial vector)	Active (Let's Encrypt cert, 2026-02-21)

The updateportal[.]ceta[.]org[.]co subdomain is particularly significant. Its name and recent Let's Encrypt certificate issuance (February 2026) suggest it serves as the distribution point for ETDigital updates. If the attacker compromised this update portal, they could replace the legitimate installer with the trojanized version, affecting all users who download or update the software.

Certificate Infrastructure

Code Signing (Malware):

Subject:  ASOCIACION CENTRO DE ESTUDIOS TRIBUTARIOS DE ANTIOQUIA
Issuer:   Sectigo
Valid:    2023-05-18 to 2026-05-17
Contact:  tic@ceta[.]org[.]co
Location: Antioquia, Colombia

TLS (C2 Server):

Subject:  *.ceta.org.co (wildcard)
Issuer:   Sectigo Public Server Authentication CA DV R36
Serial:   ab:f1:d3:57:60:88:59:1f:fe:27:97:da:c2:3c:71:b7
Valid:    2026-03-02 to 2027-03-10

The TLS certificate was renewed just eight days before this investigation, indicating the infrastructure is actively maintained. The wildcard certificate covers all subdomains, including services, mainapiceta, mcpcetapp, and updateportal.

Organizational Context

RIPE/LACNIC: IP 179[.]1[.]94[.]205 belongs to InterNexa S.A. E.S.P (179.1.0.0/17)
Responsible Contact: Carlos Mario Zapata, Calle 12 sur #18-168, Medellin, Antioquia, Colombia
Email Infrastructure: Google Workspace (SPF includes google.com)
Additional Services: Zoom, Microsoft 365, Brevo (email marketing)

Detection

YARA Summary

Detection rules target the unique characteristics of this supply chain payload:

RedLine CETA Loader: Matches native PE32 binaries that contain PE resource sections named ~ (32 bytes, key) and __ (>500KB, encrypted payload), combined with the S-box initialization function signature and the specific key bytes. This rule is highly specific to this attack and unlikely to produce false positives.
CETA Supply Chain Signature: Matches any PE binary signed by "ASOCIACION CENTRO DE ESTUDIOS TRIBUTARIOS DE ANTIOQUIA" that also contains indicators of malicious behavior (VirtualAlloc + LoadLibraryA("mscoree.dll") + process enumeration APIs). This catches the specific signed+trojanized combination.
RedLine .NET Payload: Matches the extracted .NET DLL by targeting the SoapHttpClientProtocol inheritance, the RC4 token generation function name (GenerarTokenBypassUsandoRC4 -- Spanish for "Generate RC4 Bypass Token"), WMI ManagementObjectSearcher references, and the 11 embedded certificate thumbprints.

Suricata Summary

Network detection for this specific threat is inherently limited because the C2 traffic goes to legitimate CETA infrastructure. Rules focus on:

SOAP/WCF to CETA from Non-Colombian IPs: Alerts when SOAP/WCF traffic to services[.]ceta[.]org[.]co originates from IP ranges outside Colombia. This would catch instances where the trojanized software is running on machines outside CETA's expected user base.
ETDigital Behavioral Anomaly: Detects when a process named ETDigital.exe makes HTTPS connections to non-CETA domains or IP addresses, which would indicate a variant that communicates with attacker-controlled infrastructure instead of CETA's servers.
Certificate Thumbprint in TLS: Alerts on TLS connections where the client presents certificate thumbprints matching the 11 embedded values, which may indicate the malware performing certificate pinning validation.

IOCs (Defanged)

Network Indicators

# C2 Domain (CAUTION: this is CETA's legitimate domain)
services[.]ceta[.]org[.]co

# C2 IP (CAUTION: this is CETA's legitimate server)
179[.]1[.]94[.]205

# Related subdomains
mainapiceta[.]ceta[.]org[.]co
mcpcetapp[.]ceta[.]org[.]co
updateportal[.]ceta[.]org[.]co

# DNS nameservers
rommy[.]ns[.]cloudflare[.]com
phoenix[.]ns[.]cloudflare[.]com

IMPORTANT NOTE: The network indicators above point to CETA's legitimate infrastructure. Blocking these domains/IPs will also block legitimate CETA services. The recommended approach is to block the file indicators at the endpoint level and notify CETA about the compromise, rather than network-level blocking.

File Indicators

Outer 7z Archive:

SHA256: 0983a4241dfa150a49256f62c20c35372d44264254859d2f1b21e6b1a22d428c

Native PE32 Loader (ETDigital.exe):

SHA256: 93edcefd594b05639dbb78717d46be43c30d8b988d8df4c2df813cff23631881
MD5:    45335db89e34b0b3c2dff40e895b1b6f
SHA1:   2c30e27552e817e673eeb512ce4b6436ebf86f40
Imphash: bf5a4aa99e5b160f8521cadd6bfe73b8

Extracted .NET DLL Payload (RedLine Core):

SHA256: c1d80a6b7dcf96962657f3086bf9a251af1b31019814a65d7ea44e27a350d20b
MD5:    fb042d51de3c67b7197dc61c8254ca32
SHA1:   03b628eb399aa8ab0536b81b61d6bf2a5af8ddb3
Imphash: dae02f32a21e03ce65412f6e56942daa
PDB:    _.pdb

S-box Encryption Key (PE Resource RCData "~"):

Hex: b5cc0ae288464f2fe9abb8979cd548351a4a6e4783666ca6b2cd7808a69401ad

Behavioral Indicators

Code signing cert subject: ASOCIACION CENTRO DE ESTUDIOS TRIBUTARIOS DE ANTIOQUIA
Code signing cert issuer:  Sectigo
Code signing cert email:   tic@ceta[.]org[.]co
Version info product:      Estatuto Tributario Digital con DUT integrado con NCIF
Version info company:      ASOCIACION CENTRO DE ESTUDIOS TRIBUTARIOS DE ANTIOQUIA
Version info internal:     ETDigital.exe
Version info version:      8.1.2.0
PDB path:                  _.pdb

Embedded Certificate Thumbprints

The .NET payload contains 11 certificate thumbprints used for TLS pinning:

12F3E0576D447EB37B36D82BA0C1C5481B8F0D12FDC70347CE4A076B229D4C86
838E02D35138A6F4BEB2BC621D032801F23BD0B4F1CA81F189AC49E2911580BE
88721BC2F4DB822B600B7418087D1492126B5402D802A68A31AEFCFF9D426F89
1308A2572D999EF1257F2FBECF007182D6A50E00
48227C48F05860215F8590D36E6EA2C1FCC5D188
5F13C98E5561BCEDC5C125D03B8F9B980B523A0D
7618C5B78A36600B7909D7E851EDE0FB4C553D12
7DB0AB5816500EE859D8883456163F2D1D6A314B
87843A67A05BE3A0FCF61845B9736D2C098172EA
C744B541973AD0B2267FA30AB8A5A78C859DF830
D002CBBE1FF33721AF7C4D1D3ECAD1B7DB5258B7

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Supply Chain Compromise: Software Supply Chain	T1195.002	Trojanized ETDigital tax software distributed through CETA's channels
Execution	Native API	T1106	VirtualAlloc, GetProcAddress for dynamic API resolution
Execution	Shared Modules	T1129	CLR hosting to load .NET DLL payload in-process
Defense Evasion	Subvert Trust Controls: Code Signing Certificates	T1553.002	Legitimate Sectigo certificate for CETA signs the trojanized binary
Defense Evasion	Obfuscated Files: Encrypted/Encoded File	T1027.013	Custom S-box cipher + zlib compression protecting .NET payload
Defense Evasion	Debugger Evasion	T1622	IsDebuggerPresent check in native loader
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	ETDigital.exe retains all legitimate application metadata
Discovery	Process Discovery	T1057	CreateToolhelp32Snapshot / Module32First / Module32Next
Discovery	System Information Discovery	T1082	WMI ManagementObjectSearcher queries
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	SOAP/WCF over HTTPS to legitimate CETA endpoint
Command and Control	Encrypted Channel: Asymmetric Cryptography	T1573.002	TLS to CETA wildcard certificate (*.ceta.org.co)
Credential Access	Credentials from Password Stores	T1555	RedLine browser credential theft
Collection	Data from Local System	T1005	Cryptocurrency wallet scanning and file harvesting

Threat Actor Assessment

Attribution

Confidence: LOW-MEDIUM
Geographic Origin: Colombia (HIGH confidence) -- the attack targets a Colombian organization, uses Colombian infrastructure, and the .NET payload contains Spanish-language function names (GenerarTokenBypassUsandoRC4)
Motivation: Financial -- credential and data theft from tax professionals who handle sensitive financial information
Sophistication: MODERATE -- custom encryption scheme and legitimate infrastructure abuse, but the use of a commodity stealer (RedLine) suggests the operator is not developing their own tooling

Compromise Scenarios

Three scenarios could explain how CETA's software and infrastructure were compromised:

Build Environment Compromise (MEDIUM probability): An attacker gained access to CETA's software build environment -- CI/CD pipeline, source repository, or build server -- and injected the malicious loader into the ETDigital build process. This is the classic supply chain attack model (similar to SolarWinds). The update portal subdomain (updateportal[.]ceta[.]org[.]co) would then distribute the trojanized binary to legitimate users.
Insider Threat (LOW-MEDIUM probability): Someone with legitimate access to CETA's code signing certificate and build infrastructure added the malware. The Spanish-language function names in the payload and the deep integration with CETA's API suggest familiarity with the organization's technical environment.
Certificate Theft (LOW probability): The code signing certificate was stolen and used to sign a separately-built trojanized version of ETDigital. This scenario is less likely because the C2 communicates with CETA's own servers, which would require server-side compromise in addition to certificate theft.

OPSEC Analysis

What the attacker did right:

Used a legitimate organization's code signing certificate, ensuring SmartScreen bypass
Configured C2 to use the organization's own production infrastructure, making network detection nearly impossible
Employed a custom S-box cipher that does not match any known malware encryption pattern
Stripped the PDB path to _.pdb, providing minimal build environment information
Forged compilation timestamps (2012, 2015) to mislead timeline analysis

What the attacker got wrong:

The trojanized sample was submitted to MalwareBazaar with explicit "ceta" tagging, creating a public link between the malware and the organization
83 MalwareBazaar downloads indicate significant researcher awareness
The .NET payload retains full version info strings that unambiguously identify CETA and ETDigital
11 certificate thumbprints are embedded in cleartext in the .NET payload, providing forensic evidence
The Spanish-language function name GenerarTokenBypassUsandoRC4 reveals the developer's language

Victim Impact Assessment

Primary Victim: CETA

CETA is both the compromised organization and an unwitting distribution vector. The organizational impact includes:

Reputation damage: A tax education institution distributing malware to its users
Certificate compromise: Their Sectigo certificate should be revoked, disrupting legitimate signed software
Infrastructure abuse: Their production servers are being used for C2, requiring forensic investigation and potential rebuild
Legal exposure: Colombian data protection regulations may impose obligations regarding notification and remediation

Target Population: Colombian Tax Professionals

The intended victims are accountants, tax advisors, and lawyers who use ETDigital for their professional work. The data at risk includes:

Financial credentials: Banking logins, payment platform credentials
Tax data: Client tax records, financial statements, identification numbers
Browser data: All saved passwords, cookies, autofill data
Cryptocurrency: Wallet files and keys
System access: Cached credentials for professional services and government portals

For a tax professional, a successful RedLine infection could expose not just their personal data but their clients' financial information, creating a cascading breach affecting hundreds of individuals and businesses.

Defensive Recommendations

Immediate Actions (24-48 Hours)

Scan all endpoints for the three file hashes (7z, loader, .NET payload).
Alert on the code signing certificate subject ("ASOCIACION CENTRO DE ESTUDIOS TRIBUTARIOS DE ANTIOQUIA") in endpoint protection policies.
Do NOT blindly block services[.]ceta[.]org[.]co -- this will break legitimate CETA software. Instead, focus on endpoint-level detection.
Notify CETA at tic@ceta[.]org[.]co about the supply chain compromise.

Short-Term Actions (1-2 Weeks)

Work with Sectigo to revoke the compromised code signing certificate.
Notify ColCERT (Colombian national CERT) for national coordination.
Audit the updateportal[.]ceta[.]org[.]co server for evidence of compromise.
Search for additional trojanized versions of ETDigital (different versions, different encryption keys).
Alert Colombian tax professional associations about the threat.

Medium-Term Actions (1-3 Months)

Conduct a full infrastructure audit of CETA's servers at 179[.]1[.]94[.]205 and related infrastructure.
Implement code signing verification for ETDigital updates (independent of CETA's certificate).
Deploy behavioral detection for the S-box cipher pattern in PE resources (RCData "~" + RCData "__").
Monitor for follow-on campaigns using the same certificate or infrastructure.
Assess whether Colombian data breach notification requirements apply.

Technical Appendix: Decryption Methodology

The three-layer encryption was decrypted using the following approach:

7z extraction: Standard 7z x command to extract the native PE32 loader.
Resource extraction: PE resource parsing to extract RCData ~ (32-byte key) and RCData __ (1,031,218-byte encrypted payload).
S-box cipher decryption: The native loader's S-box initialization function (fcn.00401300) was emulated using Unicorn Engine (x86 mode). The emulator executed the function with the 32-byte key to produce the 256x256 substitution table in memory. Then, the decryption function was emulated chunk-by-chunk (1024 bytes at a time) to produce the decrypted output.
Zlib decompression: Python's zlib.decompress() was applied to the decrypted output (after stripping the 4-byte size header), producing 1,626,126 bytes.
Payload extraction: The first 14 bytes contain the .NET runtime version string "v4.0.30319". The remaining bytes starting at offset 14 are the .NET DLL PE, which begins with a standard MZ header.

This methodology can be adapted for future variants that use the same S-box cipher with different keys -- only the key bytes in the Unicorn emulation script need to be updated.

Published by Breakglass Intelligence -- GHOST automated analysis pipeline. Investigation ID: redline-march10 | TLP:WHITE | 2026-03-10