Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Multiple PHP Vulnerabilities Allow DoS and Memory Corruption Attacks
July 6, 2026
Critical ModSecurity Flaws Let Attackers Bypass Firewall Rules
July 6, 2026
Moody Bible Institute Data Breach Exposes 2.3 Million Users’ Personal Data
July 6, 2026
Home/Threats/RedLine Stealer C2 Uses 7 Fraudulent Domains in Maritime Phishing Attacks
Threats

RedLine Stealer C2 Uses 7 Fraudulent Domains in Maritime Phishing Attacks

Key Takeaways A single RedLine Stealer command and control (C2) server led researchers to uncover a sophisticated phishing and business email compromise (BEC) operation targeting the maritime...

Sarah simpson
Sarah simpson
July 6, 2026 2 Min Read
2 0

Key Takeaways

  • A single RedLine Stealer command and control (C2) server led researchers to uncover a sophisticated phishing and business email compromise (BEC) operation targeting the maritime shipping industry.
  • The attackers utilized at least seven fraudulent domains, meticulously crafted to impersonate legitimate maritime suppliers, facilitating spear phishing attempts.
  • The campaign deployed both RedLine Stealer and Formbook malware, designed to exfiltrate sensitive data such as credentials, browser cookies, and cryptocurrency wallet information.
  • Victims included a South Korean marine manufacturer, highlighting the targeted nature and significant financial risk posed to the maritime supply chain.

Unmasking a Maritime Phishing Ring

A routine investigation into RedLine Stealer activity unexpectedly exposed a wide-ranging phishing operation specifically targeting the global maritime shipping sector. What began as an analysis of a single command and control (C2) server quickly expanded, revealing a network of seven deceptive domains designed to ensnare companies within the maritime supply chain.

Table Of Content

  • Key Takeaways
  • Unmasking a Maritime Phishing Ring
  • From C2 to Coordinated Campaign
  • The Strategy: Fraudulent Domains and Impersonation

RedLine Stealer, first observed around 2020, has become a prevalent information-stealing malware. It typically propagates through compromised software, malicious advertisements, and phishing emails, silently extracting sensitive data like passwords, browser cookies, and cryptocurrency wallet details from infected systems. Its accessibility and low cost on underground forums have made it a favored tool among various criminal groups.

From C2 to Coordinated Campaign

Analysts at VMRay said in a report shared with Cyber Security News (CSN) that a specific RedLine C2 address, identified through their UniqueSignal threat feed, served as the initial thread in a much larger investigation. This server, located at 194.156.79.122 and operating on the uncommon port 55615, initially appeared to be a typical, ephemeral RedLine backend. However, it quickly became the linchpin for uncovering a sophisticated spear phishing and business email compromise (BEC) campaign.

Leveraging fingerprinting techniques with tools such as FOFA and VirusTotal, researchers identified additional C2 servers that shared distinct characteristics with the original infrastructure. These findings shifted the focus from generic infostealer activity to a highly targeted spear phishing campaign aimed at a South Korean maritime manufacturer.

The investigation ultimately linked malware distribution, fabricated business emails, and a cluster of recently registered domains meticulously designed to mimic legitimate maritime suppliers. This intricate combination of technical infrastructure and social engineering made the campaign particularly challenging to detect using conventional indicators of compromise alone.

The Strategy: Fraudulent Domains and Impersonation

A critical discovery was the identification of seven fraudulent domains. These domains were all hosted on the same infrastructure provider and exhibited consistent naming patterns and TLS certificate details. Examples include acasiallc.shop, amdocsllc.shop, and <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/e59c4ad6-abf2-4869-8fb2-6060757d4de0/RedLine-C2-Pivot-Reveals-Seven-Fraudulent-Domains-Used-in-Maritime-Phishing-Attacks.pdf?AWSAccessKeyId=ASIA2F3EMEYEVXMPRSIT&Signature=3B%2BmgRojW7P%2FEpDf1HFTTXGHJK8%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEIr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQCzd3GwrpaEYBEqDsM1NPivU9EOgPuoVr66J%2Ftr1CTadwIgFR3IElNqGnj%2FDQwNIUKoxQdLZhhXEEPhwP8OQEENTw0q8wQIUxABGgw2OTk3NTMzMDk3MDUiDPbtM6AEnuC5Nmc%2FTyrQBMuvPdB4D4kCqbh5v1zQOaYEVjEz2uFz%2FD4A8t1yN8uuCzUsJijUmpAhLw6TOjGoAqXQkh1j3RpTCXsN86hJpaWbrbhkhQpMS85xslYpVLd6yZveA6kzbp5JB1Lqy3ZK2s2t%2BKhQSfE2b06fxq5v3ivYjYH58W8sdmuxno1upyliX5G46imSSbuShrYKpP6gdWnl1U2j3Qa3iUFaql9uXBDWT5cOZSmyQ%2FG1vYHxuDj9GoKVQKysGG3bSeFdmcgtrUOGUEI8M4rL1sDjf4t7j6BCGAPYrvD0V%2F%2FGEyzodP0IsdE%2FeIBuCF1%2FvZTC%2B6RbMwe%2FSpZ7IcYVAjwYM6C0%2B3av5zlpcjAIgbG%2FopYmhiF5tkd10C56h4MB3iWl0IZHm6h5Jiok7%2ByYVAW453XlnDRiLubD2wsdGWSF99kPDgbAYf6kiAzQqJmfLZB%2F0bGuJ4rxgmWaYMGDFkAadRidG7nFbPmw93pLQcTB0Hf6Aq%2BasM81z1Y3b6SBFQiBQYJh3ZzeoxcNlVlDY7GbsDTE86Z71pEIdXqb9ZFjC7rSuApYvV2YRgwRIW4XPzV2AZLM1gJ6ua%2BryK9KJ%2FXmni0zG87DqYSSAYc9u

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Teen Arrested for Bandai Channel Cyberattack Aided by ChatGPT

Next Post

Moody Bible Institute Data Breach Exposes 2.3 Million Users’ Personal Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Gaslight macOS Malware Evades AI Security Analysis With Prompt Injection
July 6, 2026
Agent Skill Malware Targets AI Models Claude and OpenAI Codex
July 6, 2026
TrojPix Attack Remotely Exfiltrates Data From Air-Gapped Computers
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us