On July 3 2026 VMRay released a new threat report that illustrates how a single C2 entry point can lead analysts into an entire maritime spear‑phishing ecosystem. The investigation began with one RedLine Stealer command and control (C2) IP and unfolded into a cluster of attacker‑owned domains, servers and email infrastructure used to target South Korean shipping vendors.
The report is structured as a step‑by‑step threat intelligence workflow so that security analysts can reproduce the pivots and immediately apply the findings in their own environments. Below we walk through each phase, highlight key indicators, and provide actionable recommendations for detection and blocking.
1. Background on RedLine Stealer
RedLine is a commodity credential‑stealing malware first seen in early 2020 and sold as Malware‑as‑a‑Service. It harvests browser cookies, autofill data, crypto wallets and logs them for resale on black markets. Though the core infrastructure was dismantled in late 2024 by Operation Magnus, legacy builds and repackaged variants continue to surface in fresh feeds.
2. The Starting Indicator
The pivot chain started with a single IP address pulled from VMRay’s UniqueSignal feed: 194.156.79.122:55615. The port 55615 is non‑standard and highly specific, making it an attractive filter for downstream queries.
- Confirm RedLine attribution via VirusTotal graph.
- Check earliest sample timestamps – all submissions from April 2026.
- Run the IP through VMRay sandbox to capture HTTP traffic.
3. Building a Fingerprint
The sandbox revealed two telltale pieces of the C2: a SOAPAction header pointing at tempuri.org and an Apache/2.4.62 (Unix) OpenSSL/1.0.2k-fips banner served on port 55615. The combination of this high port with that specific server string is unique enough to serve as a fingerprint for further discovery.
4. Expanding the RedLine Thread
Using FOFA, we queried:
port="55615" && server="Microsoft-HTTPAPI/2.0"
The search returned two additional hosts – one confirmed RedLine (85.17.40.98) and a false positive. The new C2 (85.17.40.98) became the next pivot point.
5. Maritime Spear‑Phishing Campaign
VirusTotal relations for 85.17.40.98 yielded dozens of email samples (.eml, .msg). All were sourced from South Korea and targeted “Kangrim Heavy Industries”, a leading marine boiler manufacturer. The emails contained ZIP attachments that delivered Formbook, another infostealer sold as MaaS.
- Senders impersonated legitimate maritime suppliers (e.g., Kryse Group).
- Pretexts mimicked routine shipping correspondence.
- The campaign was highly targeted – a true spear‑phishing effort.
6. Business Email Compromise Context
Business Email Compromise (BEC) relies on social engineering rather than malware payloads. In 2024 BEC accounted for $2.77 billion in losses, making it a high‑value target despite lower visibility.
- Disposability of payloads vs longevity of distribution infrastructure.
- Blocking sender domains and IPs can prevent future attacks.
7. Identifying Attacker‑Owned Infrastructure
The campaign used five sender addresses:
Three domains (bourbon-online.com, shengan-light.com.tw, macgregor.com) were legitimate and likely compromised or spoofed. The remaining two – krysegroupllc.online and bscl.global – appeared attacker‑owned based on recent registrations and passive DNS activity.
8. Pivot to a Cluster of Fraudulent Domains
We queried FOFA for:
org="TheHost LLC" && server="Apache/2.4.62 (Unix) OpenSSL/1.0.2k-fips"
The results yielded seven additional domains with short, llc‑style names hosted on the same provider:
- acasiallc.shop
- ansysllc.shop
- softinsallc.online
- amdocsllc.shop
- taicom.top
- cementsservices.online
- epsilongroup.online
Each domain resolved to a unique IP, most of which were active in 2025 or later. The naming pattern and host fingerprint confirm they are part of the same attacker infrastructure.
9. Recommendations for Detection & Blocking
- Block all identified sender addresses and domains at your email gateway.
- Add the listed IPs to firewall block lists and SIEM correlation rules.
- Deploy domain reputation services that flag .shop, .online, .top TLDs with llc suffixes when used in business emails.
- Implement user training focused on maritime supply‑chain scenarios and BEC warning signs.
10. Conclusion
The investigation demonstrates how a single indicator from a threat feed can cascade into a fully fledged phishing distribution network. By capturing the unique fingerprint of the RedLine C2 and systematically pivoting through FOFA, VirusTotal, and passive DNS, analysts were able to expose attacker‑owned domains that outlive the underlying malware. Blocking this infrastructure provides durable protection against future spear‑phishing attempts in the maritime sector.