VYPR
researchPublished Jul 6, 2026· 1 source

RedLine Stealer Pivot Uncovers Maritime Phishing Campaign Using Fake Domains

A leaked RedLine Stealer C2 server led researchers to a sophisticated phishing campaign targeting a South Korean maritime manufacturer with fraudulent domains and spoofed business emails.

Researchers have uncovered a targeted phishing campaign that leveraged a leaked RedLine Stealer command and control (C2) server to reveal a network of seven fraudulent domains. This operation, focused on the maritime shipping industry, employed social engineering tactics by impersonating legitimate suppliers to insert fake company personas into ongoing business negotiations. The investigation, initiated by analyzing traffic from a single RedLine C2 server, evolved into a broader discovery of a coordinated spear-phishing and business email compromise (BEC) scheme.

RedLine Stealer, a prevalent information-stealing malware since its emergence around 2020, typically spreads through compromised software, malicious advertisements, and phishing attachments. It is known for exfiltrating sensitive data such as passwords, browser cookies, and cryptocurrency wallet information from infected systems. Its affordability on underground forums has made it a popular tool among various cybercriminal actors.

Analysts at VMRay, utilizing their UniqueSignal threat intelligence feed, identified a RedLine C2 server at IP address 194.156.79.122 on port 55615. This non-standard port served as a crucial fingerprint for tracing related infrastructure. Through advanced fingerprinting techniques using tools like FOFA and VirusTotal, the researchers identified additional C2 nodes exhibiting similar characteristics to the initial server. This pivot led them away from typical information-stealing activities and directly into the spear-phishing campaign.

The investigation traced the malware samples associated with the identified infrastructure to spear-phishing emails targeting Kangrim Heavy Industries, a significant South Korean manufacturer of marine boilers and industrial equipment. The emails were crafted to mimic legitimate maritime supply chain companies and delivered Formbook malware, another long-standing information stealer often offered as a malware-as-a-service. The campaign's timeline indicated activity dating back to April 2026, suggesting it had been operating discreetly for a considerable period.

A key finding of the investigation was the discovery of seven fraudulent domains, all hosted by the same provider and sharing similar naming conventions and TLS certificate details. Domains such as 'acasiallc.shop', 'amdocsllc.shop', and 'ansysllc.shop' were designed to appear as legitimate business entities, a tactic aimed at deceiving recipients. These lookalike domains were used in conjunction with fabricated company personas to infiltrate ongoing shipment negotiations, a common tactic in BEC fraud.

The attackers demonstrated resilience by quickly registering replacement domains whenever older ones were identified or blocked, ensuring the campaign's continuity. VMRay researchers recommended that maritime companies enhance their security posture by meticulously inspecting email headers, verifying supplier communications through separate channels, and actively monitoring for suspicious domains that mimic legitimate vendor names. They also emphasized the importance of improved email filtering and regular staff awareness training.

The broader implications of this campaign highlight the persistent attractiveness of the shipping and logistics sector to cybercriminals due to the high value of cargo, invoices, and established vendor relationships. The case underscores the effectiveness of pivoting on seemingly minor technical indicators, such as unusual server ports, to uncover larger, more complex criminal operations. Security professionals in the maritime industry and related sectors are advised to treat such anomalies as critical early warning signs.

Synthesized by Vypr AI