216.73.216.86

A single RedLine C2 pivots into a maritime spear-phishing cluster and attacker-owned infrastructure.

· Published 02/07/2026 13:29

Export JSON

Essential information

Published
02/07/2026 13:29
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
business email compromise casbaneiro domain impersonation formbook infrastructure pivoting maritime sector targeting metamorfo redline stealer south korean victims spear-phishing xloader
Related entities
27 indicators, 27 observables, 20 techniques (mitre), 5 malware

Description

An investigation beginning with a single C2 server from VMRay UniqueSignal evolved into uncovering a targeted campaign against South Korean maritime infrastructure. The analysis started with IP 194.156.79.122 on port 55615, leveraging fingerprinting techniques through FOFA and VirusTotal to identify additional C2 infrastructure. Pivoting through communicating files revealed emails targeting Kangrim Heavy Industries, a major South Korean marine boiler manufacturer. The campaign delivered malware through impersonated maritime supply chain companies. Further infrastructure analysis identified seven fraudulent domains hosted on TheHost LLC infrastructure, utilizing similar naming patterns and TLS certificates. The attack demonstrates sophisticated BEC tactics combining malware delivery with social engineering, mimicking legitimate business correspondence within the maritime shipping sector.

External references