RedLine C2 Pivot Exposes Maritime Phishing Infrastructure and Fraud Domains


A RedLine Stealer command and control server helped researchers uncover a wider phishing and business email compromise campaign targeting the maritime supply chain. The investigation started with one suspicious C2 endpoint, 194.156.79.122 on port 55615, and expanded into a cluster of malware servers, fake company domains, and shipment-themed phishing emails.

The activity was aimed at the South Korean maritime industry, including Kangrim Heavy Industries, according to a GBHackers report. Researchers linked the campaign to RedLine Stealer infrastructure, FormBook malware delivery, and domains designed to impersonate maritime suppliers or related businesses.

The case shows how a single malware indicator can reveal a much larger fraud network. It also highlights why shipping, manufacturing, and logistics companies remain attractive targets for attackers who want access to invoices, supplier conversations, and payment flows.

How one RedLine C2 server led to the maritime phishing campaign

The investigation began with a RedLine Stealer C2 address seen on port 55615. Researchers used that unusual infrastructure clue to pivot across related servers, certificates, hosting patterns, and malware samples.

That process connected the initial RedLine endpoint to additional infrastructure used for FormBook delivery. VMRay says its UniqueSignal threat intelligence feed provides high-confidence indicators with malware family context, TTPs, and victimology details, which fits the type of pivoting used in this case.

Instead of stopping at one IP address, the investigation mapped infrastructure relationships. That approach helped expose attacker-owned domains used to support phishing, mail delivery, and supplier impersonation.

FindingDetails
Initial C2 indicator194.156.79.122:55615
Main malware familiesRedLine Stealer and FormBook
Target sectorMaritime, shipping, and related manufacturing
Named targetKangrim Heavy Industries
Attack styleSpear phishing and business email compromise
Key riskCredential theft, supplier impersonation, and invoice fraud

Why RedLine and FormBook matter in this campaign

RedLine Stealer is widely used by cybercriminals to collect sensitive data from infected computers. Proofpoint documented RedLine activity as early as 2020, when it observed campaigns delivering the malware through email-based lures.

FormBook adds another layer of risk. Check Point describes FormBook as an infostealer first discovered in 2016 that can steal browser credentials, capture screenshots, log keystrokes, and download additional malicious files.

In a maritime business setting, stolen credentials can matter as much as malware persistence. Attackers can use one compromised mailbox to monitor supplier conversations, alter payment instructions, or insert fake documents into active negotiations.

Fraudulent domains used fake supplier identities

The campaign used domains that looked like legitimate company names. Several followed a short business-name pattern with โ€œllcโ€ or industry-style wording, which can make a message look normal during a busy procurement or shipping workflow.

The reported infrastructure included seven additional fraudulent domains tied to the pivot, while the published IoC set lists eight suspicious lookalike domains and one linked domain. This difference matters because defenders should block and review the full set, not only the number used in the headline.

These domains were not just random names. They were built for social engineering. A recipient dealing with shipping quotes, equipment orders, spare parts, or invoices may not notice a fake supplier domain if the email matches an ongoing business process.

DomainRole in the reporting
acasiallc.shopFraudulent business-style domain
amdocsllc.shopFraudulent business-style domain
ansysllc.shopFraudulent business-style domain
cimentosservices.onlineFraudulent business-style domain
epsilongroup.onlineFraudulent business-style domain
softinsallc.onlineFraudulent business-style domain
taicom.topFraudulent business-style domain
krysegroupllc.onlineFraudulent business-style domain
shengan-light.com.twLinked phishing infrastructure domain

Why maritime companies are exposed to this type of phishing

Maritime organizations rely heavily on email for quotes, vessel schedules, invoices, supplier updates, port coordination, and cargo documents. That creates opportunities for attackers who can imitate a vendor, forwarder, or equipment supplier with enough detail.

The Canadian Centre for Cyber Security warned in its marine transportation threat assessment that financially motivated cybercriminals will continue to target marine transportation and supporting organizations through extortion and stolen business information.

Attack flow (Source – VMRAY)

The International Maritime Organization also treats maritime cyber risk as a safety and security issue. Its maritime cyber risk guidance defines the risk as a threat to technology assets that can lead to shipping-related operational, safety, or security failures.

  • Supplier conversations often involve high-value payments.
  • Invoices and bank details move through email chains.
  • Many companies work with global partners across time zones.
  • Attackers can impersonate vendors with newly registered domains.
  • One stolen mailbox can expose months of business context.

Indicators linked to the campaign

The campaignโ€™s IoCs include RedLine C2 endpoints, related infrastructure, and domains used for impersonation or phishing support. Security teams should treat these indicators as a starting point for investigation, not as the full boundary of the activity.

VMRayโ€™s threat intelligence feed page says UniqueSignal includes file hashes, URLs, domains, IPs, and related observables, along with malware family and victimology context. That kind of context helps defenders move from one indicator to a broader cluster.

TypeIndicatorDescription
IP194.156.79.122RedLine Stealer C2 server on port 55615
IP85.17.40.98Related C2 infrastructure on port 55615
IP23.164.48.21Related C2 infrastructure on port 55615
IP185.252.24.52Associated attacker infrastructure
IP176.114.8.101Associated attacker infrastructure
IP176.114.8.90Associated attacker infrastructure
IP185.252.24.74Associated attacker infrastructure
IP185.252.24.78Associated attacker infrastructure
IP91.108.82.101Associated attacker infrastructure
IP91.108.82.73Associated attacker infrastructure

How defenders should respond

Security teams in shipping, shipbuilding, logistics, and marine equipment supply should review recent inbound emails, especially messages involving shipment documents, supplier changes, quotes, and payment updates. They should also search for the listed domains, IP addresses, and port 55615 connections in mail, proxy, DNS, and endpoint logs.

Because FormBook can steal credentials and collect sensitive data, affected environments should treat a detected infection as an identity incident. FormBook malware can steal data from infected systems and act as a downloader, so remediation should include password resets, session revocation, and endpoint cleanup.

RedLine infections also require quick identity containment. RedLine Stealer has a long history of email-based delivery, and stolen browser data can give attackers access to business accounts even after the original malware file disappears.

  1. Block the listed domains, URLs, and IP addresses at mail, DNS, proxy, and firewall layers.
  2. Search logs for connections to port 55615 and related C2 hosts.
  3. Review email headers for lookalike supplier domains and abnormal sending infrastructure.
  4. Verify bank-detail changes through a separate trusted channel.
  5. Reset passwords and revoke active sessions for accounts exposed on infected endpoints.
  6. Train finance, procurement, and logistics staff to spot supplier impersonation patterns.

A small indicator exposed a broader fraud network

This campaign shows why defenders should avoid treating isolated malware indicators as disposable noise. A single RedLine C2 address led researchers to phishing emails, FormBook delivery, fake domains, and attacker infrastructure aimed at a valuable maritime target.

The risk extends beyond one malware family. The same infrastructure logic can support credential theft, invoice redirection, supplier fraud, and follow-on compromise. For companies that depend on email-driven trade documents, that makes domain monitoring and supplier verification just as important as malware detection.

Maritime operators should also align incident response planning with sector-level cyber risk guidance. The Cyber Centreโ€™s assessment and the IMO guidance both reinforce a practical point: cyber incidents in shipping can affect business continuity, payments, and operational trust.

FAQ

What did the RedLine C2 pivot reveal?

The RedLine C2 pivot revealed a wider maritime phishing and business email compromise campaign involving RedLine Stealer infrastructure, FormBook malware delivery, fake supplier-style domains, and infrastructure aimed at the South Korean maritime industry.

Which maritime company was targeted in the campaign?

Public reporting names Kangrim Heavy Industries, a South Korean maritime manufacturer, as a target of the phishing activity.

How many fraudulent domains were found?

Reporting refers to seven additional fraudulent domains, while the published IoC list includes eight suspicious lookalike or fraudulent domains and one additional linked phishing infrastructure domain.

Why are maritime phishing attacks dangerous?

Maritime phishing attacks are dangerous because shipping and supplier workflows often rely on email for invoices, quotes, cargo documents, and payment instructions. A convincing fake supplier email can lead to credential theft, invoice fraud, or business email compromise.

What should security teams do about the RedLine maritime phishing IoCs?

Security teams should block the listed domains and IPs, search DNS and proxy logs for related activity, investigate port 55615 connections, review suspicious supplier emails, reset exposed credentials, and verify payment changes through separate trusted channels.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages