A recent investigation into RedLine Stealer’s command and control (C2) infrastructure has exposed a sophisticated phishing campaign targeting the maritime industry. This operation utilized seven fraudulent domains designed to impersonate legitimate maritime supply chain companies, aiming to deceive and compromise organizations within this sector.
RedLine Stealer, first identified around 2020, is a prevalent information-stealing malware that extracts sensitive data such as passwords, browser cookies, and cryptocurrency wallet information from infected systems. It typically spreads through cracked software, malicious advertisements, and phishing emails. Its affordability and accessibility on underground forums have made it a favored tool among cybercriminals.
Security researchers at VMRay, through their UniqueSignal threat feed, identified a specific RedLine C2 server at IP address 194.156.79.122, operating on the uncommon port 55615. This discovery led to a broader investigation, revealing a coordinated spear-phishing and business email compromise (BEC) campaign. The attackers employed advanced fingerprinting techniques using tools like FOFA and VirusTotal to identify additional servers with similar characteristics, indicating a well-organized infrastructure supporting the campaign.
The investigation uncovered that the campaign specifically targeted Kangrim Heavy Industries, a prominent South Korean manufacturer of marine boilers and industrial equipment. The attackers sent spear-phishing emails that mimicked communications from legitimate maritime supply chain companies. These emails contained Formbook malware, another information-stealing tool sold as malware-as-a-service, highlighting the attackers’ use of multiple malicious tools to achieve their objectives.
Further analysis revealed seven fraudulent domains, all hosted by the same infrastructure provider and exhibiting similar naming conventions and TLS certificate details. Domains such as acasiallc.shop, amdocsllc.shop, and ansysllc.shop were crafted to closely resemble legitimate companies, enhancing the credibility of the phishing attempts. This strategic impersonation underscores the attackers’ efforts to exploit trust within the maritime supply chain.
The campaign’s timeline, with submissions dating back to April 2026, indicates a prolonged and targeted effort against the maritime sector. Unlike broad, indiscriminate phishing attacks, this operation was meticulously planned, focusing on specific organizations within the industry. The combination of technical infrastructure and social engineering tactics employed made detection challenging, as standard indicators were insufficient to identify the threat.
This incident highlights the evolving nature of cyber threats, where attackers are increasingly targeting specific industries with tailored campaigns. Organizations within the maritime sector must remain vigilant, implementing robust cybersecurity measures and fostering a culture of awareness to defend against such sophisticated attacks. The use of multiple malware strains and the creation of convincing fraudulent domains demonstrate the lengths to which cybercriminals will go to achieve their objectives, emphasizing the need for continuous monitoring and proactive defense strategies.