Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain.  Full report download available here.



Significant Vessel Keys Words:








Figure 1. Map displaying location of attacker domains



Figure 2. Map displaying location of victim domains


10971070478?profile=RESIZE_710xFigure 3. Distribution of attacker and target domains




Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line.  Full table attached.


The five most common subject lines seen in our recent query are as follows:

  • VSL: VM Accord, ORDER: TKHA-A88160011B
  • Your Transport Plan has Changed – Maersk
  • Golden Bright - Agency appointment and request info to discharge




There are several themes represented by the subject lines seen.  Specifically, we can see order invoices, itinerary status notifications, and discharge requests.  These emails are seen to utilize common terminology to establish credibility.  This credibility can make for a solid lure.  In terms of the sending emails themselves, we can see impersonations of companies in many industries.  Notably, we see heavy machinery rental companies, shipping agencies, transport companies, home builders, universities, and even an Indonesian theme park.



In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels.  Some of the vessels being impersonated by these emails include the following:

  • Agia Eirini Force (pictured at the beginning of this report), a bulk carrier which is currently en route to VN HON and sailing under the flag of Marshall Islands.
  • Union Groove (pictured above), a bulk carrier which is currently en route to Chimbote, Peru and sailing under the flag of Marshall Islands.
  • Bellight, a bulk carrier current located at the port of Gdansk Anch., Poland and sailing under the flag or Norway.
  • Spirit of Lisbon, a container ship currently en route to Davao, Philippines and sailing under the flag of Marshall Islands.
  • Common Calypso, a bulk carrier currently en route to CI NIO and sailing under the flag of Greece.

As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.

The top five most prevalent malware detections associated with these emails are as follows:

  • UDS:Trojan-Spy.Win32.Noon.gen – Kaspersky
  • Trojan:Win32/Leonem – Microsoft
  • NSISX.Spy.Gen.24 – ALYac
  • Mal/DrodRar-AIC – Sophos
  • Garf.Gen.6 - FireEye

The Trojan-Spy family of trojans we have been seeing since March of 2021, with the heaviest activity being in April and May.  These trojans are generally known for either acting as a keylogger or attempting to steal credentials from browsers on the victim’s machine.  As we have noted before, these emails are typically used for the propagation of generic trojans and their variants.  The Win32/Leonem identifier specifically we have been seeing since last summer, with heavy activity in July of 2022.  NSISX.Spy variants we have been seeing since late 2021, with the heaviest activity being in January and February of 2022.  Trojan.Garf variants can also be detected as NSISX.Spy variants.  Mal/DrodRar-AIC is a return detection from the previous reports.  Mal/DrodRar-AIC is a file infector that we have been seeing since late 2020.  File infector malware is a type of malware that is capable of infecting files for the sake of spreading to other systems.  Malicious code is attached to a variety of files (.exe, .dll, .sys, etc.) and this type of malware is often used for delivering payloads of downloading other malware.

Supply Chain Spoofing

By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails.  The five most prevalent subject lines seen with a general supply chain focus are as follows:

  • Invoice 767968 from TOTAL OFFICE NATIONAL
  • Invoice INV-6830
  • Invoice reconciliation
  • Invoice L12217 dated 17/01/2023 from LEP Engineering Plastics Ltd
  • Mainstream New Zealand Limited Invoice - PDF for Invoice# 471299

Much like the maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails.  Specifically, we can see invoices, shipment and delivery notifications, packaging lists, and purchase orders.  In terms of the sending emails, we can see the attempted impersonation or spoofing of a variety of different senders, such as shipping companies, trading companies, logistics and distribution companies, travel curation companies, asset management organizations, a French magazine, and even an apartment management company in Jakarta. 



Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full table attached.

The five most prevalent detections associated with these emails are as follows:

  • HTMLUnescape – Zoner
  • HTML:PhishingMS-AHK [Phish] – Avast
  • HTML.Doc – Ikarus
  • HTML:PhishingMS-AHN [Phish] – AVG
  • JS/Phishing.XYZ!tr - Fortinet

This month’s supply chain detections are demonstrating a clear focus on phishing malware.  Much of the time, these will manifest as fraudulent emails, web pages, or other software for the purpose of luring the user into exposing personal information like usernames, passwords, or even financial information.  Heur.HTMLUnescape we have been seeing since early 2020.  HTML:Phishing variants we have been seeing since 2016, with notable heavy activity in the spring of 2021.  Then, as one might expect it is not uncommon to see generic trojan detections like JS/Phishing.XYZ!tr.  We have been seeing JS/Phishing off and on since late 2016, with the highest number of observations occurring in summer 2022.


These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails.  It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.  With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. 

Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line.   These threats often carry a financial liability to one or all those involved in the Transportation Supply Chain.  Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  

The more convincing an email appears, the greater the chance employees will fall for a scam.   To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is important to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to identify a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.


About Red Sky Alliance





Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending cyber-attacks.  Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.  All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization.  We have been tracking vessel imprtation for over 5 years.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com


Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


You need to be a member of Red Sky Alliance to add comments!