Update 18 Jan 2.00pm: After further analysis, we’ve identified that the IP address associated with the RedLine malware is part of the Telegram messenger network. We’re therefore not blocking this IP as it may potentially impact legitimate services.

However, RedLine malware has been known to use this IP to communicate with its C2 servers, so we’ve ensured school FortiGate IPS profiles are up to date with the latest RedLine malware signatures. These signatures protect you from malicious traffic from the above IP address and others it identifies as being associated with this malware campaign.

We’ll continue to monitor this campaign and contact you directly if we see anything suspicious.


Original Update 14 Jan 4.40pm: We’re aware of an active RedLine malware campaign that’s spread through news about the COVID-19 Omicron strain. We believe this is likely distributed via email and recommend schools and their IT providers check for suspicious email activity relating to Omicron.

RedLine is a relatively common malware that steals usernames and passwords it finds in an infected system. This particular variant steals stored credentials for VPN applications like NordVPN, OpenVPN, and ProtonVPN.

To minimise risk to schools we’ve blocked the IP address of a server associated with the malware. We’re contacting any schools we believe have been impacted directly. If you have any questions or you find something suspicious please contact us on 0800 LEARNING.

You can find more information at the below links:

1. https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer

2. https://www.zdnet.com/article/fortinet-warns-of-cybercriminals-using-omicron-variant-news-to-distribute-redline-stealer/