4 min read By Excello Mail Team

Seven Fake Domains, One RedLine Trail: The Maritime BEC Campaign That Shows What DMARC Cannot See

Researchers pivoted off a single RedLine infostealer C2 address and uncovered seven freshly registered lookalike domains built to impersonate maritime suppliers in a targeted BEC campaign. None of them needed to break anyone's DMARC record, and that is exactly the point.

A single command-and-control address tied to the RedLine infostealer, flagged on a non-standard high port, turned out to be the loose thread that unraveled an entire phishing operation. Researchers pivoting off that one indicator, cross-referencing hosting patterns, TLS certificate details, and sandbox telemetry, traced it to a cluster of seven freshly registered domains built for a single purpose: impersonating real companies in the maritime supply chain. The campaign’s target was Kangrim Heavy Industries, a South Korean manufacturer that holds more than 60% of the world market for marine and industrial boilers, and the lures were tailored, shipment-specific messages rather than generic spam.

The emails carried malicious ZIP attachments delivering Formbook, a long-running infostealer sold as malware-as-a-service, with the RedLine indicator that started the investigation tied to the same delivery infrastructure. Submissions tracing back to April 2026 suggest this was live, ongoing infrastructure at the time researchers found it, not a one-off blast.

Domains Built to Look Like Someone Else

The seven domains shared a naming pattern: a shortened company name paired with an “llc” suffix and a cheap top-level domain, things like acasiallc.shop, amdocsllc.shop, and ansysllc.shop. One of them, krysegroupllc.online, was registered in mid-2025 specifically to impersonate Kryse Group, a real supplier in this space. All seven sat on the same infrastructure provider, sharing hosting and certificate fingerprints closely enough that finding one meant finding the rest.

This is not domain spoofing in the sense DMARC was built to stop. Nobody forged Kryse Group’s real “From” header. The attackers registered a brand-new domain that merely resembles Kryse Group’s name, stood up their own mail infrastructure behind it, and sent mail that authenticates perfectly under its own SPF, DKIM, and DMARC records, because it is, technically, exactly what it claims to be: mail from krysegroupllc.online, sent by whoever controls krysegroupllc.online.

Why DMARC Enforcement Did Not Stop This, and What It Did Do

That distinction matters, and it is worth sitting with rather than dismissing as a DMARC failure. DMARC protects a domain from being impersonated directly, someone forging mail that claims to come from kysegroup.com without owning it. It does not, and by design cannot, stop someone from registering a different domain that merely looks similar and speaking through it honestly.

Look at the attacker’s choice here, though. They did not attempt to spoof Kryse Group’s actual domain. They built a lookalike instead. That is not a coincidence; it is usually the fallback when the real domain has closed the direct spoofing path, or when the campaign is judged easier to run and harder to trace through fresh infrastructure the attacker fully controls. Enforced authentication on the real supplier domains raised the cost enough that the attackers went a different route. The blind spot that remains is the one enforcement was never designed to cover.

Closing the Gap That DMARC Leaves Open

Three practical layers close that remaining gap without waiting on a new protocol:

Monitor for lookalikes, not just spoofing attempts. DMARC aggregate reports tell a domain owner who is trying to send mail as them. They say nothing about the acasiallc.shop-style domains registered to impersonate them or their suppliers by name. That requires separate domain and brand monitoring, watching new registrations that combine your company name or a close supplier’s name with common suffixes and cheap TLDs.

Push authentication requirements out to the supply chain. A company that enforces p=reject on its own domain has closed the direct spoofing path for its own name. It has done nothing yet for the forty suppliers, freight forwarders, and customs brokers it exchanges shipment paperwork with, every one of which is a name an attacker can wrap into a lookalike domain instead.

Verify payment and shipment changes out of band. No authentication protocol, present or future, replaces a phone call to a known contact when an invoice, routing number, or delivery instruction changes mid-transaction. That habit stops a BEC payload built for lookalike domains just as reliably as it stops one built for outright spoofing.

The Takeaway

A single leaked C2 address unraveling seven fake domains is a reminder that supply chain BEC is a patient, infrastructure-heavy operation, not a lucky guess. It is also, read closely, a small piece of evidence that DMARC enforcement is doing its job upstream: the attackers needed seven new domains precisely because impersonating the real ones directly was not the easy path anymore. The work still ahead is watching for the lookalikes that fill the space enforcement leaves open.


Enforcing DMARC on your own domain closes the direct spoofing path, but attackers will look for the next one. Sign up for free to Excello Mail to move your domain to full enforcement and get the reporting visibility to see who is testing your name.