{"id":747,"date":"2026-05-22T00:33:02","date_gmt":"2026-05-22T00:33:02","guid":{"rendered":"https:\/\/quantusintel.group\/osint\/blog\/2026\/05\/22\/the-beautiful-engineering-of-malice-dissecting-outpipe-infostealer\/"},"modified":"2026-05-22T00:33:02","modified_gmt":"2026-05-22T00:33:02","slug":"the-beautiful-engineering-of-malice-dissecting-outpipe-infostealer","status":"publish","type":"post","link":"https:\/\/quantusintel.group\/osint\/blog\/2026\/05\/22\/the-beautiful-engineering-of-malice-dissecting-outpipe-infostealer\/","title":{"rendered":"The Beautiful Engineering of Malice: Dissecting OutPipe Infostealer"},"content":{"rendered":"<p>In this project, I performed comprehensive static and dynamic analysis of a Windows based malware sample that belongs to the RedLine infostealer family, going by the name of OutPipe. My aim was to understand what data the malware targeted, along with how it communicates with the C2 server and finally mapping it all to the TTPs in MITRE ATT&amp;CK framework that blue teams can operationalize.<\/p>\n<figure><img data-opt-id=1548930552  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/0*hVNaPAw76c2Q4Cd-\" \/><figcaption>Photo by <a href=\"https:\/\/unsplash.com\/@stevecameup?utm_source=medium&amp;utm_medium=referral\">Xavier Cee<\/a> on\u00a0<a href=\"https:\/\/unsplash.com\/?utm_source=medium&amp;utm_medium=referral\">Unsplash<\/a><\/figcaption><\/figure>\n<h3>Introduction<\/h3>\n<p>Infostealers have become one of the more common ways to facilitate cybercrime, enabling them to steal user information and also establish long-term persistence on infected machines. This raises a huge concern about the confidentiality of users. The sample that was analyzed falls into the category of a\u00a0.NET-based RedLine variant targeting x86 Windows systems. This sample was built for fast data exfiltration, also called as \u2018smash-and-grab\u2019, rather than long-term persistence.<\/p>\n<p>This analysis walks through the static and dynamic analysis of the sample, starting by validating strings, detonation in a controlled environment, capturing network behaviour using Wireshark, and finally mapping to MITRE ATT&amp;CK framework with mitigation strategies.<\/p>\n<h3>Sample Overview<\/h3>\n<p>The sample taken was a Windows PE32 executable for Intel 386 and late processors, built on\u00a0.NET architecture targeting Windows environments. Following is how the sample can be fingerprinted:<\/p>\n<ul>\n<li>MD5: 4ef583c9ee908c829a31e64b917c7b30<\/li>\n<li>SHA-1: 7637f89b03d5db9404c6206bd55ebb2fde2294c4<\/li>\n<li>SHA-256: dbda6f421976910cdb3ddddf728dde8d7544516e2bb6510246ebc5d9a37ef5ca<\/li>\n<\/ul>\n<h3>Analysis Environment<\/h3>\n<p>A completely isolated Windows 10 x64 virtual machine built with Oracle VirtualBox was used for analysis. Later, FlareVM was installed, which provides a carefully chosen malware analysis toolset that includes hex editors, PE inspection tools, debuggers, and network analysis tools over the base\u00a0image.<\/p>\n<p>To minimize risk, it was made sure that there was no bridging to the production network, turned off shared folders with the host machine, and a clean snapshot before starting any analysis. The snapshot ensured safe rollbacks of the virtual machine and worked as a backup if anything went\u00a0wrong.<\/p>\n<p>Tools used throughout the analysis:<\/p>\n<ul>\n<li>HxD\u200a\u2014\u200ahex\u00a0editor<\/li>\n<li>Strings utility<\/li>\n<li>PEView &amp;\u00a0PEStudio<\/li>\n<li>dnSpy\u200a\u2014\u200a.NET reverse engineering<\/li>\n<li>Procmon\u200a\u2014\u200aprocess and file monitoring<\/li>\n<li>Wireshark\u200a\u2014\u200apacket\u00a0capture<\/li>\n<li>Autoruns &amp; Regshot\u200a\u2014\u200apersistence and registry\u00a0tracking<\/li>\n<li>FakeNet\u200a\u2014\u200asafe C2 simulation and packet rerouting<\/li>\n<\/ul>\n<h3>Initial Static\u00a0Triage<\/h3>\n<h4>HxD<\/h4>\n<p>I started with using HxD to make sure the file actually a Windows executable and not a payload concealed behind a misleading extension. The file opened with the following information:<\/p>\n<ul>\n<li>4D 5A (MZ) signature<\/li>\n<li>Legal PE header (50 45 00 00\u200a\u2014\u200aPE)<\/li>\n<li>e_lfanew reference at 80 00 00\u00a000<\/li>\n<li>The well-known phrase \u201cThis program cannot be run in DOS\u00a0mode\u201d<\/li>\n<\/ul>\n<p>all of which is indicative of a genuine PE32 executable.<\/p>\n<figure><img data-opt-id=893536788  fetchpriority=\"high\" decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/746\/1*bzxvB8ZguRpbzhAGnc4kGw.png\" \/><figcaption>Binary Data for Malware Sample in\u00a0HxD<\/figcaption><\/figure>\n<h4>VirusTotal<\/h4>\n<p>Using the SHA-256 hash of the sample, VirusTotal identified several vendors naming it as RedLine, or a closely related variant. VirusTotal also provided with metadata such as initial submission dates, latest submission dates, target platforms implying that this was an operational malware rather than a synthetic sample.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*AFJjh9oT6qngKZdm33ouwg.png\" \/><figcaption>Screenshot from VirusTotal<\/figcaption><\/figure>\n<h4>Strings Analysis<\/h4>\n<p>I used the strings utility to understand the high-level functionality built into the binary. Several function-like strings were found including:<\/p>\n<ul>\n<li>get_Password, set_Password<\/li>\n<li>get_usernameField, set_usernameField<\/li>\n<li>get__masterPassword, set__masterPassword<\/li>\n<li>get_encryptedPassword, DecryptPassword<\/li>\n<\/ul>\n<p>strongly suggesting the ability to handle stored credentials and decryption logic.<\/p>\n<p>Additionally, strings like CreditCard, GrabDiscord, DecryptNord with references to multiple browsers like Chrome, Chromium, Edge, Brave, Opera, Firefox and other niche browsers implying a large scope for data harvesting. Alongside that, strings like get_Sandbox, set_Sandbox and VirtualBox, which indicates there is detection code for sandbox environments to limit behaviour under analysis settings.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*x7mXzyOvhBwqgJiYBw-JCQ.png\" \/><figcaption>String \u2018VirtualBox\u2019 from Strings Utility\u00a0Output<\/figcaption><\/figure>\n<p>One key decryption command string was found:\u200a\u2014\u200aabe-decrypt \u201c{0}\u201d \u201c{1}\u201d \u201c{2}\u201d, which indicates that the malware routine decrypts passwords stored by the browser protected by Windows DPAPI. Altogether, these strings were evident enough to conclude that the malware was indeed an infostealer focused on hunting browser and financial information.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*ml4wBUkH92wFn7tro52giw.png\" \/><figcaption>String \u2018\u200a\u2014\u200aabe-decrypt \u201c{0}\u201d \u201c{1}\u201d \u201c{2}\u201d\u2019 from Strings Utility\u00a0Output<\/figcaption><\/figure>\n<h4>PE Inspection<\/h4>\n<p>Using PEView, it was confirmed that the sample was compiled for Intel 386 and later processors and is intended for x86 based Windows platforms. This step was crucial and helped validate basic PE structure and header fields before diving deeper into the analysis.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*8JbX0wZjaMsytu6QIsLv3g.png\" \/><figcaption>Malware File Header Information from\u00a0PEView<\/figcaption><\/figure>\n<p>On the other hand, PEStudio revealed far more information regarding IoCs and behaviour characteristics. It flagged a collection of URLs pointing to geolocation APIs\u00a0like:<\/p>\n<ul>\n<li><a href=\"http:\/\/127.0.0.1\/\">http:\/\/127.0.0.1<\/a>:<\/li>\n<li><a href=\"http:\/\/ip-api.com\/json\/?fields=query,countryCode,city,lat,lon\">http:\/\/ip-api.com\/json\/?fields=query,countryCode,city,lat,lon<\/a><\/li>\n<li><a href=\"http:\/\/checkip.amazonaws.com\/\">http:\/\/checkip.amazonaws.com\/<\/a><\/li>\n<li><a href=\"https:\/\/api.ipify.org\/\">https:\/\/api.ipify.org<\/a><\/li>\n<li><a href=\"https:\/\/icanhazip.com\/\">https:\/\/icanhazip.com<\/a><\/li>\n<\/ul>\n<p>These URLs are the queries sent by the malware to external services to determine the IP of the victim. This is likely done to avoid, or target, specific\u00a0regions.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*4DSWjx_led1YvNL0dpOMbg.png\" \/><figcaption>Strings Flags from\u00a0PEStudio<\/figcaption><\/figure>\n<p>PEStudio also flagged suspicious SQL-like queries such\u00a0as:<\/p>\n<ul>\n<li>SELECT * FROM Win32_Process Where SessionId=\u2019{0}\u2019<\/li>\n<li>SELECT * FROM Win32_Process Where SessionId=\u2019{0}\u2019 ID:<\/li>\n<\/ul>\n<p>Upon inspection, it was noted that these are Windows Management Instrumentation (WMI) queries that were used to enumerate currently running processes, possibly to identify security tools. Additionally, important DLLs like urlmon.dll (for fetching content from the web) and vaultcli.dll (credential manager for Windows) were also flagged, potentially hinting at multi-stage execution of downloading configuration from the C2 server and extracting stored credentials from the\u00a0vault.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*w23gc00OYhqyUppfbrwltA.png\" \/><figcaption>DLL Flags from\u00a0PEStudio<\/figcaption><\/figure>\n<h3>Confirming the RedLine\u00a0Lineage<\/h3>\n<p>Upon searching on the internet, RedLine infostealers are known for their aggressive targeting of browsers, including the lesser known niche browsers to exfiltrate credentials, cookies and financial data. The OutPipe sample demonstrated exact behaviour with strings that list mutiple browser profiles across Chromium and Gecko-based engines.<\/p>\n<p>Along with VirusTotal\u2019s classification, the mentions of browser credentials and credit card information, imply that the sample can be categorized into the RedLine family; specially identified as OutPipe from intelligence sources. With this, we conclude the static analysis and are ready to actually see the malware in execution.<\/p>\n<h3>Dynamic Process Behaviour and Execution Flow<\/h3>\n<p>In this stage, the sample was detonated in a sandbox environment while having Procmon and Task Manager running in the background. After execution, it was noted that the malware spawned a process named <em>\u2018OutPipe\u2019<\/em> maintaining continuous activity, indicated a solid green bar in Procmon\u2019s process tree. This tells us that the malware executed continuously and did not show short-term one-shot behaviour.<\/p>\n<figure><img data-opt-id=222843800  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/643\/1*xhM7pZtJ6U3Tc7k7rPAfjw.png\" \/><figcaption>Task Manager showing Active\u00a0Malware<\/figcaption><\/figure>\n<figure><img data-opt-id=620659019  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/767\/1*poK-N7ABE1cZgT7nQ8ssdQ.png\" \/><figcaption>Procmon Process\u00a0Tree<\/figcaption><\/figure>\n<p>In Procmon, the malware was seen establishing a TCP connection after rerouting the packets using FakeNet, that we will discuss presently. This connection aligns with the outbound communication to the C2 server. Interestingly, there were no obvious signs of pre-execution checks preventing the sample from running its core functions despite being in a virtual environment.<\/p>\n<figure><img data-opt-id=465369352  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/846\/1*iOU1wunlfBV3rVPIqbXyOA.png\" \/><figcaption>TCP Operations by Malware in\u00a0Procmon<\/figcaption><\/figure>\n<h4>Credential Theft Logic in\u00a0dnSpy<\/h4>\n<p>As the sample binary was in\u00a0.NET, dnSpy was ideal in reverse engineering the logic. Different functions were found aimed at Chromium Engine with methods like \u2018ReadData\u2019 and \u2018DecryptChromium\u2019, while having separate methods aiming Gecko-based browsers.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*sY0qilZxN9vb248hPgSRZg.png\" \/><figcaption>dnSpy\u200a\u2014\u200aMalware finding Chromium-based browser Credentials<\/figcaption><\/figure>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*L8GFpdJOa_eURND370VIYw.png\" \/><figcaption>dnSpy\u200a\u2014\u200aMalware finding Gecko-based browser Credentials<\/figcaption><\/figure>\n<p>These functions extracted saved usernames, passwords and session cookies by navigating through typical browser storage locations such as login data, cookies and relevant SQLite databases. With the \u2018\u200a\u2014\u200aabe-decrypt\u2019 function, the code incorporates the logic to bypass the usual browser locks on these files, indicating a pipeline to extract credentials even when they are DPAPI-protected. The sample\u2019s ability to cover accounts is largely increased by its capacity to extract data from an arsenal of browsers.<\/p>\n<h4>Network Behaviour<\/h4>\n<p>I used Wireshark to capture packets in order to delve further into the C2 layer as Procmon activity suggested network communication. Initial runs showed the malware attempting to establish a TCP connection to the hardcoded IP 77.90.185.66 over port 6677, a non-standard port choice likely intended to evade simplistic port-based monitoring.<\/p>\n<p>The TCP handshake failed in the first attempt, hinting that the actual C2 server was not accessible. To safely observe the full communication flow without connecting to the actual infrastructure, FakeNet was used to imitate the same IP and port locally. FakeNet intercepted and rerouted outgoing packets so that, to the malware, it was communicating with the apparent C2, while all the traffic remained on the analysis\u00a0host.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*42SfMKWrEUA3aNxict0dsg.png\" \/><figcaption>Failed Packet Transmission in Wireshark<\/figcaption><\/figure>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*7cFFMOzEMjsfVowXua4BxQ.png\" \/><figcaption>Rerouting using\u00a0FakeNet<\/figcaption><\/figure>\n<p>Wireshark was then able to record a successful TCP three-way handshake between the victim host and the simulated C2. Shortly after, packets with PSH and ACK flags carrying an XML payload were noted. The payload contained a SOAP-like request for \u2018GetSettings\u2019, implying that the malware obtains instructions from the C2 before selecting what data to exfiltrate.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*7qFKgBb9ZUeECjZlW1DD_A.png\" \/><figcaption>Successful Packet Transmission in Wireshark<\/figcaption><\/figure>\n<h4>Registry, Services &amp; Persistence Analysis<\/h4>\n<p>Autoruns and Regshot were used to compare the system state before and after execution in order to determine whether OutPipe established long-term persistence. Autoruns focused on more common auto-start locations like:<\/p>\n<ul>\n<li>HKCUSoftwareMicrosoftWindowsCurrentVersionRun<\/li>\n<li>HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce<\/li>\n<li>HKLMSoftwareMicrosoftWindowsCurrentVersionRun<\/li>\n<li>HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce<\/li>\n<\/ul>\n<p>Neither Autoruns nor Regshot show any new entries in these locations that might have been caused by the malware. Additionally, OutPipe did not restart after a system reboot, indicating no persistence mechanism.<\/p>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*Niwz5rwLT3R3L8rB0_Ftig.png\" \/><figcaption>No Addition of Malware for Persistence<\/figcaption><\/figure>\n<p>Although, a new service called WinDivert1.3 was noticed in Autoruns, which turned out to be installed by FakeNet rather than the malware itself. Regshot too showed WinDivert64.sys, again connected to FakeNet and not OutPipe, was written into the %TEMP% directory at:<\/p>\n<ul>\n<li>C:UsersvboxuserAppDataLocalTemp_MEI52682pydivertwindivert_dllWinDivert64.sys<\/li>\n<\/ul>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*g5tdWsqqr69prHG1cOBGuQ.png\" \/><figcaption>Addition of WinDivert1.3 in\u00a0Services<\/figcaption><\/figure>\n<figure><img data-opt-id=771569372  decoding=\"async\" alt=\"\" src=\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*nPtbC6fKMsfP8HywWGBhLg.png\" \/><figcaption>WinDivert64.sys Image Path from Regshot\u2019s Output<\/figcaption><\/figure>\n<p>It was interesting to note that the malware had no self-destruct or file deletion procedure, as the sample remained on the disk after execution. The \u2018smash-and-grab\u2019 model is reinforced by this behaviour of execute, steal data, send it out and exit without having a stealthy\u00a0setup.<\/p>\n<h3>MITRE ATT&amp;CK\u00a0Mapping<\/h3>\n<p>To contextualize OutPipe\u2019s behavior for defenders, I mapped observed actions to relevant MITRE ATT&amp;CK techniques. Some key mappings\u00a0include:<\/p>\n<ul>\n<li><strong>T1204.002\u200a\u2014\u200aUser Execution: Malicious File<\/strong> The infection chain assumes a user manually executes the initial\u00a0.exe payload, for example via phishing or a malicious download.<\/li>\n<li><strong>T1497.001\u200a\u2014\u200aVirtualization\/Sandbox Evasion: System Checks<\/strong> The presence of VirtualBox and sandbox-related strings indicates environment checks to detect virtualization and potentially reduce or alter behavior.<\/li>\n<li><strong>T1518.001\u200a\u2014\u200aSecurity Software Discovery<\/strong> WMI queries such as SELECT * FROM Win32_Process Where SessionId='{0}&#8217; are used to enumerate running processes, likely to spot antivirus or EDR\u00a0agents.<\/li>\n<li><strong>T1082\u200a\u2014\u200aSystem Information Discovery<\/strong> The malware collects system build, architecture, and GUID data as part of its profiling.<\/li>\n<li><strong>T1614\u200a\u2014\u200aSystem Location Discovery<\/strong> External IP and geo-lookup services (ip-api.com, ipify, icanhazip) are used to geolocate the\u00a0victim.<\/li>\n<li><strong>T1555.003\u200a\u2014\u200aCredentials from Web Browsers<\/strong> The Chromium and Gecko routines target browser databases for login data, cookies, and web\u00a0data.<\/li>\n<li><strong>T1555.004\u200a\u2014\u200aWindows Credential Manager<\/strong> Importing vaultcli.dll suggests accessing the Windows Credential Manager to pull stored credentials.<\/li>\n<li><strong>T1003\u200a\u2014\u200aOS Credential Dumping<\/strong> The &#8211;abe-decrypt routine is used to bypass DPAPI protections on browser passwords once the encrypted blobs are obtained.<\/li>\n<li><strong>T1071.001\u200a\u2014\u200aApplication Layer Protocol: Web Protocols<\/strong> The C2 communication uses SOAP\/XML over HTTP as the application-layer protocol.<\/li>\n<li><strong>T1571\u200a\u2014\u200aNon-Standard Port<\/strong> Outbound C2 traffic occurs over TCP port 6677 instead of common web ports 80 or\u00a0443.<\/li>\n<li><strong>T1041\u200a\u2014\u200aExfiltration Over C2 Channel<\/strong> Stolen credentials and system profiling data are sent over the same HTTP channel to the C2, observed via PSH-flagged packets in Wireshark.<\/li>\n<\/ul>\n<h3>Risk Assessment &amp;\u00a0Impact<\/h3>\n<p>Based on its capabilities, OutPipe falls in the category of <strong>high-severity<\/strong> infostealer. While it does not establish persistence and therefore might not fall into the critical category, it still performs successful reconnaissance and can quickly exfiltrate important data during a single execution window.<\/p>\n<p>The main effect is data breaches, particularly those involving browser-stored passwords, financial data, and session cookies, which can be used for fraud, lateral movement, and account takeover. The lack of persistence does not lessen the risk; even if the host seems clean after a reboot, the damage is already done once credentials are obtained and exfiltrated.<\/p>\n<h3>Mitigation Strategies<\/h3>\n<p>From a defensive standpoint, several mitigation strategies emerged.<\/p>\n<ul>\n<li>Many common vulnerabilities that infostealers and their delivery techniques rely on are closed by keeping operating systems and applications up to\u00a0date.<\/li>\n<li>It\u2019s critical for users to adopt a zero-trust mindset. Unsolicited links, unexpected file attachments, and \u201ctoo good to be true\u201d online offers should all be viewed with mistrust because they are popular entry points for malware like OutPipe. Because social engineering and account hijacking are frequently linked to infostealers, users should be cautious even of messages that seem to be from friends and relatives.<\/li>\n<li>Businesses and people should only install software from reputable, verified sources and favor programs that have been signed by reputable creators. Infostealers frequently use unsigned or \u201ccracked\u201d software that they get from dubious websites. Early warning signs of an infostealer compromise can be identified on the defensive operations side by keeping an eye out for odd outgoing connections to non-standard ports, frequent IP geolocation API queries, and suspicious SOAP\/XML communication to unknown addresses.<\/li>\n<\/ul>\n<h3>Conclusion<\/h3>\n<p>This project forced me to walk through the full lifecycle of malware analysis, starting with basic PE triage, through static strings, into\u00a0.NET reverse engineering, finally into dynamic process and network analysis. In order to safely recreate C2 communications that would otherwise be unavailable or too dangerous to connect directly, techniques like FakeNet and WinDivert were especially helpful.<\/p>\n<p>Mapping the observed behaviours to MITRE ATT&amp;CK framework provided a structured way to communicate findings to defenders, translating raw technical observations into the language of techniques and procedures that SOCs and threat hunters use every\u00a0day.<\/p>\n<p>In conclusion, analyzing OutPipe enhanced my understanding of modern infostealers as fast, targeted tools focused on data and credential theft rather than loud and persistent infections. It also made clear how crucial it is for defenders to identify them within that short but harmful execution window.<\/p>\n<p><img data-opt-id=574357117  decoding=\"async\" src=\"https:\/\/medium.com\/_\/stat?event=post.clientViewed&amp;referrerSource=full_rss&amp;postId=f89816f98b62\" width=\"1\" height=\"1\" alt=\"\" \/><\/p>\n<hr \/>\n<p><a href=\"https:\/\/osintteam.blog\/the-beautiful-engineering-of-malice-dissecting-outpipe-infostealer-f89816f98b62\">The Beautiful Engineering of Malice: Dissecting OutPipe Infostealer<\/a> was originally published in <a href=\"https:\/\/osintteam.blog\/\">OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"<p>In this project, I performed comprehensive static and dynamic analysis of a Windows based malware sample that belongs to the RedLine infostealer family, going by the name of OutPipe. My aim was to understand what data the malware targeted, along with how it communicates with the C2 server and finally mapping it all to the &#8230; <a title=\"The Beautiful Engineering of Malice: Dissecting OutPipe Infostealer\" class=\"read-more\" href=\"https:\/\/quantusintel.group\/osint\/blog\/2026\/05\/22\/the-beautiful-engineering-of-malice-dissecting-outpipe-infostealer\/\" aria-label=\"Read more about The Beautiful Engineering of Malice: Dissecting OutPipe Infostealer\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-747","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=747"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/747\/revisions"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}