RedLine C2 Pivot Reveals Seven Fraudulent Domains Used in Maritime Phishing Attacks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A single leaked command and control server ended up unraveling an entire phishing operation aimed at the maritime shipping world.

What started as a routine look at RedLine Stealer traffic turned into the discovery of seven fake domains built to trick companies in the maritime supply chain.

RedLine Stealer has been one of the most common pieces of information stealing malware since it first showed up around 2020.

It typically spreads through cracked software, malicious ads, and phishing attachments, then quietly pulls passwords, browser cookies, and cryptocurrency wallet data off infected machines.

Since it is sold cheaply on underground forums, RedLine has attracted a wide range of criminal operators over the years.

Analysts at VMRay said in a report shared with Cyber Security News (CSN) that a single RedLine C2 address pulled from their UniqueSignal threat feed opened the door to a much larger investigation.

The server, reachable at 194.156.79.122 over port 55615, initially looked like just another disposable RedLine backend. Instead, it became the starting point for tracing a coordinated spear phishing and business email compromise campaign.

Using fingerprinting techniques through tools like FOFA and VirusTotal, the researchers found more servers sharing distinctive traits with the original infrastructure.

Following those clues led them away from ordinary infostealer activity and straight into a spear phishing campaign targeting a South Korean maritime manufacturer.

Attack flow (Source – VMRAY)

The trail eventually connected malware delivery, spoofed business emails, and a cluster of freshly registered domains built solely to impersonate legitimate maritime suppliers.

That combination of technical infrastructure and social engineering made the campaign harder to spot using standard indicators alone.

RedLine C2 Pivot Reveals Seven Fraudulent Domains

The story begins with a specific and unusual detail. Port 55615 is not a standard port for web traffic, which made it a useful fingerprint for hunting related servers.

Pivoting on that port number, combined with server banner information, led researchers to additional RedLine and Formbook command and control nodes sharing the same infrastructure style.

Following the malware samples associated with those servers, the team found spear phishing emails aimed at Kangrim Heavy Industries, a major South Korean manufacturer of marine boilers and industrial equipment.

The emails imitated legitimate maritime supply chain companies and carried Formbook malware, a long running infostealer often sold as malware as a service.

The campaign’s timeline traced back to submissions beginning in April 2026, showing that this activity had been running quietly for some time before it was caught.

Rather than a single spray and pray email blast, this looked like a carefully targeted operation built around a specific industry and a specific victim profile.

Fraudulent Domains And Fake Companies

The second key finding was the discovery of seven fraudulent domains, all hosted on the same infrastructure provider and sharing similar naming patterns and TLS certificate details.

Domains like acasiallc.shop, amdocsllc.shop, and ansysllc.shop were built to sound like real business names, a tactic designed to slip past a distracted reader’s attention.

These lookalike domains were paired with fake company personas designed to insert themselves into ongoing shipment negotiations, a fraud style closely related to Business Email Compromise.

Instead of pretending to be one specific company, the attackers used a rotating set of invented business identities, which let them keep the deception going even if one domain got flagged or blocked.

VMRay noted that the attackers appeared to register replacement domains quickly whenever older ones were burned, keeping the campaign resilient against takedown efforts.

The researchers recommended that maritime companies inspect email headers closely, verify supplier communications through a separate channel, and monitor for suspicious domains resembling legitimate vendor names.

They also suggested improved email filtering and staff awareness training as practical steps, since the campaign relied more on convincing pretexts than on advanced exploits.

The bigger picture here is a reminder that shipping and logistics firms remain attractive targets because of the high value cargo, invoices, and vendor relationships involved.

A single infected machine or misplaced click on a fake supplier invoice can lead to real financial losses in an industry where deals are often confirmed by email alone.

This case also shows the value of pivoting from small technical clues, since one leaked C2 address unraveled a much wider fraud network.

Defenders in maritime and adjacent industries would do well to treat unusual server ports and newly registered lookalike domains as early warning signs rather than background noise.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP 194.156.79.122 RedLine Stealer C2 server, port 55615
IP 85.17.40.98 Related C2 infrastructure, port 55615
IP 23.164.48.21 Related C2 infrastructure, port 55615
IP 185.252.24.52 Associated attacker infrastructure
IP 176.114.8.101 Associated attacker infrastructure
IP 176.114.8.90 Associated attacker infrastructure
IP 185.252.24.74 Associated attacker infrastructure
IP 185.252.24.78 Associated attacker infrastructure
IP 91.108.82.101 Associated attacker infrastructure
IP 91.108.82.73 Associated attacker infrastructure
URL http://194.156.79.122:55615 RedLine Stealer C2 endpoint
URL http://85.17.40.98:55615 Related C2 endpoint
URL http://23.164.48.21:55615 Related C2 endpoint
Domain acasiallc.shop Fraudulent domain impersonating a business name
Domain amdocsllc.shop Fraudulent domain impersonating a business name
Domain ansysllc.shop Fraudulent domain impersonating a business name
Domain cimentosservices.online Fraudulent domain impersonating a business name
Domain epsilongroup.online Fraudulent domain impersonating a business name
Domain softinsallc.online Fraudulent domain impersonating a business name
Domain taicom.top Fraudulent domain impersonating a business name
Domain krysegroupllc.online Fraudulent domain impersonating a business name
Domain shengan-light.com.tw Domain linked to the phishing infrastructure

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.