RedLine C2 Leads To Maritime Spear Phishing Cluster And Attacker Owned Infrastructure

On July 3 2026 VMRay released a new threat report that illustrates how a single C2 entry point can lead analysts into an entire maritime spear‑phishing ecosystem. The investigation began with one RedLine Stealer command and control (C2) IP and unfolded into a cluster of attacker‑owned domains, servers and email infrastructure used to target South Korean shipping vendors.

The report is structured as a step‑by‑step threat intelligence workflow so that security analysts can reproduce the pivots and immediately apply the findings in their own environments. Below we walk through each phase, highlight key indicators, and provide actionable recommendations for detection and blocking.

1. Background on RedLine Stealer

RedLine is a commodity credential‑stealing malware first seen in early 2020 and sold as Malware‑as‑a‑Service. It harvests browser cookies, autofill data, crypto wallets and logs them for resale on black markets. Though the core infrastructure was dismantled in late 2024 by Operation Magnus, legacy builds and repackaged variants continue to surface in fresh feeds.

2. The Starting Indicator

The pivot chain started with a single IP address pulled from VMRay’s UniqueSignal feed: 194.156.79.122:55615. The port 55615 is non‑standard and highly specific, making it an attractive filter for downstream queries.

  • Confirm RedLine attribution via VirusTotal graph.
  • Check earliest sample timestamps – all submissions from April 2026.
  • Run the IP through VMRay sandbox to capture HTTP traffic.

3. Building a Fingerprint

The sandbox revealed two telltale pieces of the C2: a SOAPAction header pointing at tempuri.org and an Apache/2.4.62 (Unix) OpenSSL/1.0.2k-fips banner served on port 55615. The combination of this high port with that specific server string is unique enough to serve as a fingerprint for further discovery.

4. Expanding the RedLine Thread

Using FOFA, we queried:

port="55615" && server="Microsoft-HTTPAPI/2.0"

The search returned two additional hosts – one confirmed RedLine (85.17.40.98) and a false positive. The new C2 (85.17.40.98) became the next pivot point.

5. Maritime Spear‑Phishing Campaign

VirusTotal relations for 85.17.40.98 yielded dozens of email samples (.eml, .msg). All were sourced from South Korea and targeted “Kangrim Heavy Industries”, a leading marine boiler manufacturer. The emails contained ZIP attachments that delivered Formbook, another infostealer sold as MaaS.

  • Senders impersonated legitimate maritime suppliers (e.g., Kryse Group).
  • Pretexts mimicked routine shipping correspondence.
  • The campaign was highly targeted – a true spear‑phishing effort.

6. Business Email Compromise Context

Business Email Compromise (BEC) relies on social engineering rather than malware payloads. In 2024 BEC accounted for $2.77 billion in losses, making it a high‑value target despite lower visibility.

  • Disposability of payloads vs longevity of distribution infrastructure.
  • Blocking sender domains and IPs can prevent future attacks.

7. Identifying Attacker‑Owned Infrastructure

The campaign used five sender addresses:

Three domains (bourbon-online.com, shengan-light.com.tw, macgregor.com) were legitimate and likely compromised or spoofed. The remaining two – krysegroupllc.online and bscl.global – appeared attacker‑owned based on recent registrations and passive DNS activity.

8. Pivot to a Cluster of Fraudulent Domains

We queried FOFA for:

org="TheHost LLC" && server="Apache/2.4.62 (Unix) OpenSSL/1.0.2k-fips"

The results yielded seven additional domains with short, llc‑style names hosted on the same provider:

  • acasiallc.shop
  • ansysllc.shop
  • softinsallc.online
  • amdocsllc.shop
  • taicom.top
  • cementsservices.online
  • epsilongroup.online

Each domain resolved to a unique IP, most of which were active in 2025 or later. The naming pattern and host fingerprint confirm they are part of the same attacker infrastructure.

9. Recommendations for Detection & Blocking

  • Block all identified sender addresses and domains at your email gateway.
  • Add the listed IPs to firewall block lists and SIEM correlation rules.
  • Deploy domain reputation services that flag .shop, .online, .top TLDs with llc suffixes when used in business emails.
  • Implement user training focused on maritime supply‑chain scenarios and BEC warning signs.

10. Conclusion

The investigation demonstrates how a single indicator from a threat feed can cascade into a fully fledged phishing distribution network. By capturing the unique fingerprint of the RedLine C2 and systematically pivoting through FOFA, VirusTotal, and passive DNS, analysts were able to expose attacker‑owned domains that outlive the underlying malware. Blocking this infrastructure provides durable protection against future spear‑phishing attempts in the maritime sector.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading