Threat Advisory

Secure Maritime Email Gateways Against Spear‐Phishing Campaigns

Threat: Malware
Targeted Region: Global
Targeted Sector: Technology & IT, Critical Infrastructure
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

The campaign is attributed to the group known as UniqueSignal, a financially motivated actor that combines espionage techniques with ransomware‐style extortion. It operates as a business‐email compromise (BEC) operation built around a RedLine command‐and‐control server that redirects victims to a maritime‐focused phishing infrastructure. Targets include shipping firms, port authorities, and logistics providers across Europe and North America. The primary objective is to harvest credentials and financial approval workflows, enabling fraudulent wire transfers and, in some cases, exfiltration of cargo manifests for resale on the dark market.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

The campaign is attributed to the group known as UniqueSignal, a financially motivated actor that combines espionage techniques with ransomware‐style extortion. It operates as a business‐email compromise (BEC) operation built around a RedLine command‐and‐control server that redirects victims to a maritime‐focused phishing infrastructure. Targets include shipping firms, port authorities, and logistics providers across Europe and North America. The primary objective is to harvest credentials and financial approval workflows, enabling fraudulent wire transfers and, in some cases, exfiltration of cargo manifests for resale on the dark market.[emaillocker id="1283"]

The infection chain begins with a spear‐phishing email that carries a malicious Word document or PDF containing a macro payload. When the macro runs, it drops a lightweight loader that contacts the RedLine C2 and receives encrypted instructions. The loader establishes persistence by creating a scheduled task and then spreads laterally using stolen credentials over SMB. Inside compromised hosts, the malware encrypts selected files, exfiltrates credential caches, and signals back to the C2 for further commands, effectively giving the attackers continuous control of the network.

The threat is significant because the combination of credential theft and encrypted file ransomware creates both financial loss and operational disruption for maritime organisations that rely on timely data flows. Its use of legitimate cloud‐based C2 channels and low‐profile loaders makes detection difficult for traditional signature tools, while the lateral movement over trusted protocols evades network‐based alerts. Companies should enforce multi‐factor authentication for privileged accounts, segment critical systems, and keep email gateways hardened against macro‐laden attachments. Regular backups, continuous endpoint monitoring, and rapid incident response playbooks will reduce dwell time and limit the impact of an intrusion.

THREAT PROFILE:

 

Tactic Technique ID Technique Sub-technique
Resource Development T1583.001 Acquire Infrastructure Domains
Initial Access T1566.001 Phishing Spearphishing Attachment
Initial Access T1566.002 Phishing Spearphishing Link
Command and Control T1071.001 Application Layer Protocol Web Protocols
Command and Control T1071.003 Application Layer Protocol Mail Protocols

REFERENCES:

reports contain further technical details:
https://cybersecuritynews.com/redline-c2-pivot-reveals-seven-fraudulent-domains/
https://www.vmray.com/the-redline-thread-that-led-to-a-maritime-bec-infrastructure-cluster/

[/emaillocker]
crossmenu