RedLine C2 Pivot Exposes Maritime Phishing Infrastructure and Fraud Domains
A RedLine Stealer command and control server helped researchers uncover a wider phishing and business email compromise campaign targeting the maritime supply chain. The investigation started with one suspicious C2 endpoint, 194.156.79.122 on port 55615, and expanded into a cluster of malware servers, fake company domains, and shipment-themed phishing emails.
The activity was aimed at the South Korean maritime industry, including Kangrim Heavy Industries, according to a GBHackers report. Researchers linked the campaign to RedLine Stealer infrastructure, FormBook malware delivery, and domains designed to impersonate maritime suppliers or related businesses.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The case shows how a single malware indicator can reveal a much larger fraud network. It also highlights why shipping, manufacturing, and logistics companies remain attractive targets for attackers who want access to invoices, supplier conversations, and payment flows.
How one RedLine C2 server led to the maritime phishing campaign
The investigation began with a RedLine Stealer C2 address seen on port 55615. Researchers used that unusual infrastructure clue to pivot across related servers, certificates, hosting patterns, and malware samples.
That process connected the initial RedLine endpoint to additional infrastructure used for FormBook delivery. VMRay says its UniqueSignal threat intelligence feed provides high-confidence indicators with malware family context, TTPs, and victimology details, which fits the type of pivoting used in this case.
Instead of stopping at one IP address, the investigation mapped infrastructure relationships. That approach helped expose attacker-owned domains used to support phishing, mail delivery, and supplier impersonation.
| Finding | Details |
|---|---|
| Initial C2 indicator | 194.156.79.122:55615 |
| Main malware families | RedLine Stealer and FormBook |
| Target sector | Maritime, shipping, and related manufacturing |
| Named target | Kangrim Heavy Industries |
| Attack style | Spear phishing and business email compromise |
| Key risk | Credential theft, supplier impersonation, and invoice fraud |
Why RedLine and FormBook matter in this campaign
RedLine Stealer is widely used by cybercriminals to collect sensitive data from infected computers. Proofpoint documented RedLine activity as early as 2020, when it observed campaigns delivering the malware through email-based lures.
FormBook adds another layer of risk. Check Point describes FormBook as an infostealer first discovered in 2016 that can steal browser credentials, capture screenshots, log keystrokes, and download additional malicious files.
In a maritime business setting, stolen credentials can matter as much as malware persistence. Attackers can use one compromised mailbox to monitor supplier conversations, alter payment instructions, or insert fake documents into active negotiations.
Fraudulent domains used fake supplier identities
The campaign used domains that looked like legitimate company names. Several followed a short business-name pattern with โllcโ or industry-style wording, which can make a message look normal during a busy procurement or shipping workflow.
The reported infrastructure included seven additional fraudulent domains tied to the pivot, while the published IoC set lists eight suspicious lookalike domains and one linked domain. This difference matters because defenders should block and review the full set, not only the number used in the headline.
These domains were not just random names. They were built for social engineering. A recipient dealing with shipping quotes, equipment orders, spare parts, or invoices may not notice a fake supplier domain if the email matches an ongoing business process.
| Domain | Role in the reporting |
|---|---|
| acasiallc.shop | Fraudulent business-style domain |
| amdocsllc.shop | Fraudulent business-style domain |
| ansysllc.shop | Fraudulent business-style domain |
| cimentosservices.online | Fraudulent business-style domain |
| epsilongroup.online | Fraudulent business-style domain |
| softinsallc.online | Fraudulent business-style domain |
| taicom.top | Fraudulent business-style domain |
| krysegroupllc.online | Fraudulent business-style domain |
| shengan-light.com.tw | Linked phishing infrastructure domain |
Why maritime companies are exposed to this type of phishing
Maritime organizations rely heavily on email for quotes, vessel schedules, invoices, supplier updates, port coordination, and cargo documents. That creates opportunities for attackers who can imitate a vendor, forwarder, or equipment supplier with enough detail.
The Canadian Centre for Cyber Security warned in its marine transportation threat assessment that financially motivated cybercriminals will continue to target marine transportation and supporting organizations through extortion and stolen business information.

The International Maritime Organization also treats maritime cyber risk as a safety and security issue. Its maritime cyber risk guidance defines the risk as a threat to technology assets that can lead to shipping-related operational, safety, or security failures.
- Supplier conversations often involve high-value payments.
- Invoices and bank details move through email chains.
- Many companies work with global partners across time zones.
- Attackers can impersonate vendors with newly registered domains.
- One stolen mailbox can expose months of business context.
Indicators linked to the campaign
The campaignโs IoCs include RedLine C2 endpoints, related infrastructure, and domains used for impersonation or phishing support. Security teams should treat these indicators as a starting point for investigation, not as the full boundary of the activity.
VMRayโs threat intelligence feed page says UniqueSignal includes file hashes, URLs, domains, IPs, and related observables, along with malware family and victimology context. That kind of context helps defenders move from one indicator to a broader cluster.
| Type | Indicator | Description |
|---|---|---|
| IP | 194.156.79.122 | RedLine Stealer C2 server on port 55615 |
| IP | 85.17.40.98 | Related C2 infrastructure on port 55615 |
| IP | 23.164.48.21 | Related C2 infrastructure on port 55615 |
| IP | 185.252.24.52 | Associated attacker infrastructure |
| IP | 176.114.8.101 | Associated attacker infrastructure |
| IP | 176.114.8.90 | Associated attacker infrastructure |
| IP | 185.252.24.74 | Associated attacker infrastructure |
| IP | 185.252.24.78 | Associated attacker infrastructure |
| IP | 91.108.82.101 | Associated attacker infrastructure |
| IP | 91.108.82.73 | Associated attacker infrastructure |
How defenders should respond
Security teams in shipping, shipbuilding, logistics, and marine equipment supply should review recent inbound emails, especially messages involving shipment documents, supplier changes, quotes, and payment updates. They should also search for the listed domains, IP addresses, and port 55615 connections in mail, proxy, DNS, and endpoint logs.
Because FormBook can steal credentials and collect sensitive data, affected environments should treat a detected infection as an identity incident. FormBook malware can steal data from infected systems and act as a downloader, so remediation should include password resets, session revocation, and endpoint cleanup.
RedLine infections also require quick identity containment. RedLine Stealer has a long history of email-based delivery, and stolen browser data can give attackers access to business accounts even after the original malware file disappears.
- Block the listed domains, URLs, and IP addresses at mail, DNS, proxy, and firewall layers.
- Search logs for connections to port 55615 and related C2 hosts.
- Review email headers for lookalike supplier domains and abnormal sending infrastructure.
- Verify bank-detail changes through a separate trusted channel.
- Reset passwords and revoke active sessions for accounts exposed on infected endpoints.
- Train finance, procurement, and logistics staff to spot supplier impersonation patterns.
A small indicator exposed a broader fraud network
This campaign shows why defenders should avoid treating isolated malware indicators as disposable noise. A single RedLine C2 address led researchers to phishing emails, FormBook delivery, fake domains, and attacker infrastructure aimed at a valuable maritime target.
The risk extends beyond one malware family. The same infrastructure logic can support credential theft, invoice redirection, supplier fraud, and follow-on compromise. For companies that depend on email-driven trade documents, that makes domain monitoring and supplier verification just as important as malware detection.
Maritime operators should also align incident response planning with sector-level cyber risk guidance. The Cyber Centreโs assessment and the IMO guidance both reinforce a practical point: cyber incidents in shipping can affect business continuity, payments, and operational trust.
FAQ
The RedLine C2 pivot revealed a wider maritime phishing and business email compromise campaign involving RedLine Stealer infrastructure, FormBook malware delivery, fake supplier-style domains, and infrastructure aimed at the South Korean maritime industry.
Public reporting names Kangrim Heavy Industries, a South Korean maritime manufacturer, as a target of the phishing activity.
Reporting refers to seven additional fraudulent domains, while the published IoC list includes eight suspicious lookalike or fraudulent domains and one additional linked phishing infrastructure domain.
Maritime phishing attacks are dangerous because shipping and supplier workflows often rely on email for invoices, quotes, cargo documents, and payment instructions. A convincing fake supplier email can lead to credential theft, invoice fraud, or business email compromise.
Security teams should block the listed domains and IPs, search DNS and proxy logs for related activity, investigate port 55615 connections, review suspicious supplier emails, reset exposed credentials, and verify payment changes through separate trusted channels.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages