# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Black Banshee, Velvet Chollima

# Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78
# Reference: https://blog.alyac.co.kr/2209 (Korean)

maii-daum-net.atwebpages.com
nate-on.bug3.com
hanmail.membercp.net
korea.getenjoyment.net
mail.membercp.net
/itsme.daum

# Reference: https://twitter.com/blackorbird/status/1086970613552447489

safe-naver-mail.pe.hu

# Reference: https://twitter.com/blackorbird/status/1113318554563076096
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403
# Reference: https://blog.alyac.co.kr/2234 (Korean)

tcjst.com

# Reference: https://twitter.com/blackorbird/status/1118334122592591872
# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf
# Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations
# Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24

http://192.186.142.74
192.186.142.74:81
seoulhobi.biz

# Reference: https://twitter.com/RedDrip7/status/1133268937808859136

lovemoney.mypressonline.com

# Reference: https://blog.alyac.co.kr/2336 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6

hellojames.sportsontheweb.net

# Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)

/expres.php

# Reference: https://blog.alyac.co.kr/2347 (Korean)
# Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db

http://202.168.155.156
carolie-svr-v1.16mb.com
my-homework.890m.com
naver-security-mail.96.lt
oeks39402.890m.com
filer1.1apps.com
filer2.1apps.com
kuku675.site11.com
kuku79.herobo.com

# Reference: https://blog.alyac.co.kr/2389 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8

atene.myartsonline.com
hellojames.sportsontheweb.net
nid2-naver-com.medianewsonline.com
smalldeal.mypressonline.com

# Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks
# Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208
# Reference: https://twitter.com/blackorbird/status/1164370375490228224

alone-service.work
app-support.work
check-up.work
com-main.work
doc-view.work
login-confirm.work
member-service.work
minner.work
short-line.work
sub-state.work
web-line.work

# Reference: https://twitter.com/cyberwar_15/status/1166592637371060226

rnailr.com

# Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf
# Reference: https://otx.alienvault.com/pulse/5d6d754babe6ca295f94cb1b

accounted.top
acounts.work
ahooc.com
alive-user.work
alone-service.work
app-house.online
app-main.site
app-support.site
app-support.work
check-line.site
check-operation.site
check-up.work
client-mobile.work
confirm-main.work
dounn.net
dovvn-mail.com
drog-service.com
eposcard.co
first-state.work
gstaticstorage.com
heehorse.com
hotrnall.co
imap-login.com
inbox-mail.work
inbox-yahoo.com
lh-login.com
lh-logs.com
lh-yahoo.com
local-link.work
log-yahoo.com
login-confirm.site
login-confirm.work
login-history.pw
login-sec.com
login-use.com
login-yahoo.info
logins-yahoo.com
mail-down.com
mail-inc.work
mail-service.win
mailseco.com
main-line.work
main-service.site
main-support.work
matmiho.com
member-service.work
message-inbox.work
minner.work
mobile-device.site
mobile-phone.work
myprivacy.work
net-policies.work
old-version.work
online-support.work
open-auth.work
options.work
page-view.work
phlogin.com
profile-setting.work
protect-com.work
protect-mail.work
protect-main.site
retry-confirm.com
script-main.site
sec-line.work
sec-live.com
set-login.com
setting-main.work
share-check.site
short-line.work
sign-in.work
srnbc-card.com
user-account.link
user-accounts.net
user-service.link
user-service.work
viewetherwallet.com
wallet-vahoo.com
weak-online.work
web-info.work
web-mind.work
web-online.work
web-rain.work
web-state.work
web-store.work
yah00.work
yrnall.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901
# Reference: https://blog.alyac.co.kr/2538 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d8dd05bac456c1dade338df

joelwisian.com
reunionhomesok.com

# Reference: https://twitter.com/blackorbird/status/1178497550938034177

eoplus.co.kr/board/pressed/
eoplus.co.kr/board/presset/

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5d9f541a43c2babf60994786

c-naver.com
daum-center.net
rrnaver.com
udaum.net
account-google.member-authorize.com
user-manage-center.hol.es
user-daum-center.pe.hu
user-protect-center.pe.hu
naiei-aldiel.16mb.com
nid-protect-team.pe.hu
nid-management-team.890m.com
oeks39402.890m.com
vkcxvkweo.96.lt

# Reference: https://otx.alienvault.com/pulse/5dac36de0d5134df36b16666

clouds.scienceontheweb.net

# Reference: https://twitter.com/spider_girl22/status/1191306963369353216

online---shop.atwebpages.com

# Reference: https://blog.alyac.co.kr/2645 (Korean)
# Reference: https://otx.alienvault.com/pulse/5de68f93fc4d8a6303a7598b

member-view-center.esy.es
primary-help.esy.es
ago2.co.kr/bbs/data/dir/F.php
antichrist.or.kr/data/cheditor/dir1/F.php
gyjmc.com/board/data/cheditor/dir1/F.php

# Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b

antichrist.or.kr/data/cheditor/dir1/lyric64
batgalim.org.il/facebook/Facebook/Entities/ppp/encoding.png
jonashartley.com/hilaryolsen/wp-includes/images/crystal/1122/upload.php
jonashartley.com/hilaryolsen/wp-admin/network/run.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/res.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/expres.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/res.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/expres.php
happy-new-year.esy.es
safe-naver-mail.pe.hu

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5e42fd9c9fa37be52610c5c5

accounting-microsofft.epizy.com
csdaum-help.esy.es
daum-account-login.esy.es
daum-account-login.esy.esoeks39402.890m.com
daum-account-signin.pe.hu
daum-login-protect.hol.es
daum-setting.hol.es
daum-stting.hol.es
daumlogin.esy.es
gyjmc.com
mail-customer-safety-center.hol.es
mail-kinu.hol.es
mail-naver-protect.hol.es
mail.naver.comuf.com
member-authorize.com
member-daum-regist.hol.es
member-view-center.esy.es
memver-view-center.esy.es
nager-relogin-security.96.lt
naiei-ldel.16mb.com
naver-password.esy.es
naver-security-mail.96.lt
naverhelp.esy.es
naverkorea.esy.es
naverlogin.esy.es
nid-mail.pe.hu
nid-management-team.890m.com
nid-protect-team.pe.hu
primary-help.esy.es
protect-yahoo-teeam.000webhostapp.com
security-mail-daum.000webhostapp.com
snu-mail-ac-kr.esy.es
suppcrt-seourity.esy.es
uefa2018.000webhostapp.com
user-daum-center.pe.hu
user-management-center.hol.es
user-protect-center.pe.hu
vkcxvkweo.96.lt
webrnail-kinu.hol.es

# Reference: https://twitter.com/anyrun_app/status/1115513990711521280
# Reference: https://www.virustotal.com/gui/file/540336c5e61d589776e267eed14eac835720b4484312434ce4f27adfec8bf817/detection

185.224.137.164:21

# Reference: https://twitter.com/cyberwar_15/status/1227709181605613569

happy-boy.pe.hu

# Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html
# Reference: https://otx.alienvault.com/pulse/5e4c19894aad216887c8cb3d

ago2.co.kr/bbs/data/tmp
aiyac-updaite.hol.es
daum-center.net
embed-helper.esy.es
er-manage-center.hol.es
finale-jack.esy.es
kakao-check.esy.es
my-homework.890m.com
naver-mail-com.hol.es
nid-protect-team.pe.hu
nid-yyanagemeniteam.890m.com
nortice-centre.esy.es
oeks39402.890m.com
rrnaver.com
simple-hick.esy.es
suppcrt-seourity.esy.es
udaum.net
upgradesrv.890m.com
user-daum-center.pe.hu
user-manage-cenier.nol.es
user-protect-center.pe.hu

# Reference: https://twitter.com/cyberwar_15/status/1230093739554557953

pingball.mygamesonline.org

# Reference: https://twitter.com/spider_girl22/status/1233198285747154944
# Reference: https://twitter.com/cyberwar_15/status/1241591674255446016
# Reference: https://app.any.run/tasks/f4172853-90e6-49ad-be7b-bf6efa771448/

nagoya.datastore.pe.hu
suzuki.datastore.pe.hu
toyota.datastore.pe.hu

# Reference: https://blog.alyac.co.kr/2737 (Korean)

mernberinfo.tech

# Reference: https://twitter.com/cyberwar_15/status/1232989735011794945
# Reference: https://www.virustotal.com/gui/file/2cd5f1852ac6d3ed481394ea0abc49f16789c12fb81bcdf9988762730fb0aa8f/detection
# Reference: https://twitter.com/spider_girl22/status/1234761655214493697
# Reference: https://twitter.com/cyberwar_15/status/1240677656451899394
# Reference: https://twitter.com/Timele9527/status/1240620534468997125

all200.mireene.com
crphone.mireene.com
jmable.mireene.com
jmdesign.mireene.com
nhpurumy.mireene.com
orblog.mireene.com
sgmedia.mireene.com
vnext.mireene.com

# Reference: https://twitter.com/Timele9527/status/1240123132419223554

mybobo.mygamesonline.org

# Reference: https://twitter.com/DeadlyLynn/status/1245264426321600513

saemaeul.mireene.com

# Reference: https://twitter.com/AnonySecAgency/status/1250605504520318977

rolls-royce-love.890m.com

# Reference: https://twitter.com/VK_Intel/status/1257243399742251010

upload.bigfile.hol.es

# Reference: https://twitter.com/AnonySecAgency/status/1263047043150299136

gotoclean.com.co
ricefarm.kr/bbs/st/expres.php

# Reference: https://twitter.com/cyberwar_15/status/1266553918454067201
# Reference: https://www.rfa.org/korean/in_focus/nkhacking-05292020160533.html (Korean)

com-download.work

# Reference: https://twitter.com/cyberwar_15/status/1268073043365990401

part.bigfile.pe.hu

# Reference: https://blog.alyac.co.kr/3033 (Korean)
# Reference: https://otx.alienvault.com/pulse/5ed7c80f673c40df00c52fa6

boaz.kr/skin/member/basic/css/cross.php
boaz.kr/skin/member/basic/css/report.php
boaz.kr/skin/member/log/cross.php
boaz.kr/skin/member/log/pre.hta
boaz.kr/skin/member/log/report.php
boaz.kr/skin/member/log/suf.hta

# Reference: https://twitter.com/XOR_Hex/status/1273023258535886848

dept-dp.lab.hol.es

# Reference: https://twitter.com/cyberwar_15/status/1273435333430935552

gbxhd.org-help.com

# Reference: https://twitter.com/ccxsaber/status/1273804166612135940

security-confirm.bmail-org.com

# Reference: https://twitter.com/ShadowChasing1/status/1274724519803043852

finalist.org-help.com

# Reference: https://twitter.com/cyberwar_15/status/1275368364819410950

foxhunter.getenjoyment.net
korea.getenjoyment.net
pootball.getenjoyment.net

# Reference: https://twitter.com/DeadlyLynn/status/1275998401524424704

attachchosun.atwebpages.com

# Reference: https://twitter.com/ccxsaber/status/1278941222166380545

lovelovelove.atwebpages.com

# Reference: https://twitter.com/DeadlyLynn/status/1281840956170317824

bascetball.atwebpages.com

# Reference: https://twitter.com/cyberoverdrive/status/1285955528770891776
# Reference: https://www.virustotal.com/gui/file/4fae9a942aafddc8ee21a753302cec3c5273d3f71e132f176cb799dd922e30ac/detection

pingguo5.atwebpages.com

# Reference: https://app.any.run/tasks/74d55d02-7bbd-444c-a01b-30ac52a7e576/

foxonline123.atwebpages.com

# Reference: https://twitter.com/cyberwar_15/status/1296301860312084482

jongjin.000webhostapp.com

# Reference: https://twitter.com/DeadlyLynn/status/1299970605043707905
# Reference: https://www.virustotal.com/gui/file/4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f/detection

portable.epizy.com

# Reference: https://otx.alienvault.com/pulse/5f737caa710907613c4d2773

account-protect.work
account-viewer.work
com-active.work
com-download.work
com-option.work
com-ssl.work
com-sslnet.work
com-vps.work
default.tokyo
desk-top.work
doc-view.pw
dorey.work
dutaley.work
exiweng.work
idiolos.work
intemet.work
jp-sec.pw
jp-ssl.work
kinac.work
net-sec.pw
org-view.pw
org-view.work
org-vip.work
org-vps.work
poulsen.work
robezo.work
rtyuio.work
sslport.work
sslserver.work
ssltop.work
taplist.work
tlsmain.work
unrepong.work
verdall.xyz
vpstop.work
webmain.work

# Reference: https://twitter.com/cyberwar_15/status/1313175039307476993

daumcleaner.mywebcommunity.org
naver.mywebcommunity.org
workcrafter.mywebcommunity.org

# Reference: https://twitter.com/DeadlyLynn/status/1314181830162083841
# Reference: https://www.virustotal.com/gui/file/363386c4caa5a995d3ca9345520c90942d5d3e1aaf8056831348f92eb73c15db/detection

goldbin.myartsonline.com

# Reference: https://twitter.com/vigilantbeluga/status/1315720089316941824
# Reference: https://twitter.com/vigilantbeluga/status/1315722308703543297

hdac-wallet.com
kasse-v1.hdac-wallet.com
update.hdac-tech.com
wallet.hdac-tech.com

# Reference: https://twitter.com/vigilantbeluga/status/1255002262256025600
# Reference: https://www.virustotal.com/gui/file/3110f00c1c48bbba24931042657a21c55e9a07d2ef315c2eae0a422234623194/detection

general-second.org-help.com

# Reference: https://us-cert.cisa.gov/ncas/alerts/aa20-301a
# Reference: https://otx.alienvault.com/pulse/5f9856f8655cfd07338c8e83

account.daum.unikftc.kr
account.daum.unikortv.com
account.daurn.pe.hu
amberalexander.ghtdev.com
beyondparallel.sslport.work
bigfile.pe.hu
cdaum.pe.hu
cloudmail.cloud
cloudnaver.com
coinone.co.in
com-download.work
com-option.work
com-ssl.work
com-sslnet.work
com-vps.work
comment.poulsen.work
cooper.center
csnaver.com
daum.net.pl
daum.unikortv.com
daurn.org
daurn.pe.hu
demand.poulsen.work
dept-dr.lab.hol.es
downloadman06.com
dubai-1.com
eastsea.or.kr
gloole.net
help-navers.com
help.unikoreas.kr
helpnaver.com
hogy.desk-top.work
impression.poulsen.work
intemet.work
intranet.ohchr.account-protect.work
jonga.ml
jp-ssl.work
kooo.gq
loadmanager07.com
login.bignaver.com
login.daum.kcrct.ml
login.daum.net-accounts.info
login.daum.unikortv.com
login.outlook.kcrct.ml
mail.unifsc.com
mailsnaver.com
member-authorize.com
member.daum.uniex.kr
member.daum.unikortv.com
member.navier.pe.hu
msdatl3.inc
msolui80.inc
myaccount.nkaac.net
myaccounts.gmail.kr-infos.com
myetherwallet.co.in
myetherwallet.com.mx
naver.co.in
naver.com.cm
naver.com.de
naver.com.ec
naver.com.mx
naver.com.pl
naver.com.se
naver.cx
naver.hol.es
naver.koreagov.com
naver.onegov.com
naver.pw
naver.unibok.kr
naverdns.co
net.tm.ro
nid.naver.com.se
nid.naver.corper.be
nid.naver.onektx.com
nid.naver.unibok.kr
nid.naver.unicrefia.com
nidlogin.naver.corper.be
nidnaver.email
nidnaver.net
ns.onekorea.me
nytimes.onekma.com
org-vip.work
preview.manage.org-view.work
pro-navor.com
read-hanmail.net
read-naver.com
read.tongilmoney.com
resetprofile.com
resultview.com
riaver.site
sankei.sslport.work
securetymail.com
servicenidnaver.com
smtper.cz
smtper.org
sslserver.work
ssltop.work
statement.poulsen.work
sts.desk-top.work
taplist.work
tiosuaking.com
top.naver.onekda.com
usernaver.com
view-hanmail.net
view-naver.com
vilene.desk-top.work
vpstop.work
webmain.work
webuserinfo.com
ww-naver.com

# Reference: https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
# Reference: https://www.cyberscoop.com/north-korea-espionage-kimsuky-cybereason/
# Reference: https://otx.alienvault.com/pulse/5fa029ed2e8d9de384c74f26

csv.posadadesantiago.com/home/up.php?id=
csv.posadadesantiago.com/home?act=news&id=
csv.posadadesantiago.com/home?id=
myaccounts.posadadesantiago.com/test/Update.php?wShell=
wave.posadadesantiago.com/home/dwn.php?van=

# Reference: https://blog.alyac.co.kr/3352
# Reference: https://otx.alienvault.com/pulse/5fa1bb282c5efd7327b229a6

xeoskin.co.kr/wp/wp-includes/SimplePie/Net/

# Reference: https://twitter.com/cyberwar_15/status/1327040440189607936
# Reference: https://twitter.com/cyberwar_15/status/1327045373781635072
# Reference: https://twitter.com/cyberwar_15/status/1327403605825970176
# Reference: https://twitter.com/cyberwar_15/status/1327403626118094848

accountcheck.net
app.veryton.ml
appmedicine.whoint.cf
astrozeneca.ml
bidmc.accountcheck.net
daumi.club
daurn.ga
dup.photo.oiiio.ga
email-hanwha.pe.hu
genexine.member-info.net
jnj.accountcheck.net
kaist.r-naver.com
kari.gq
kimm.r-naver.com
krnvc.ga
logins.daumi.club
logins.daurn.ga
love.krnvc.ga
mail.astrozeneca.ml
member-info.net
oiiio.ga
on.color.oiiio.ga
r-naver.com
shinpoong.accountcheck.net
shinpoong.r-naver.com
shkj.hol.es
veryton.ml
webmail.kari.gq
whoint.cf

# Reference: https://twitter.com/RedDrip7/status/1329628989699235840
# Reference: https://otx.alienvault.com/pulse/5fb804ac581df7fe4f35bfd6
# Reference: https://www.virustotal.com/gui/file/9365ce79a51768a398cc22ec701d5f256de827fbefed283c933dea4052d66027/detection

pelebra.atwebpages.com

# Reference: https://twitter.com/jfslowik/status/1330611004456067073

asia-studies.net
itamaraty.net
midsecurity.org
netsecurityservice.com
securitycounci1report.org

# Reference: https://twitter.com/cyberwar_15/status/1332300116179312640

bidmc.accountcheck.net
genexine.member-info.net
jnj.accountcheck.net
shinpoong.accountcheck.net
shinpoong.r-naver.com

# Reference: https://twitter.com/cyberwar_15/status/1333181928606814211

daumusercenter.web.app

# Reference: https://twitter.com/cyberwar_15/status/1333767468473487363

autoway.huyndai.ml
huyndai.ml

# Reference: https://twitter.com/Timele9527/status/1333971180290592769

documentserver.site

# Reference: https://twitter.com/h2jazi/status/1339226171272286209
# Reference: https://blog.alyac.co.kr/3458 (Korean)
# Reference: https://otx.alienvault.com/pulse/5fdbc57a744937101f4f9adc

hahae.co.kr/new3/ISAF/Libs/php/cross.php

# Reference: https://twitter.com/RedDrip7/status/1336258913323216896
# Reference: https://www.virustotal.com/gui/file/1909010c264328edaf24cc2804d4f046aabd3c59de45e1d295d4155eb466d753/detection

price365.co.kr/abbi/json/ps/aa.php

# Reference: https://twitter.com/cyberwar_15/status/1343610577894088704
# Reference: https://www.virustotal.com/gui/ip-address/27.255.79.204/relations

bkl-co.ml
conm.ga
covision.tk
dongguk.ml
edongwon.ml
edongyang.ml
ejnuac.ml
ekecc.ml
ekoreapetroleum.ml
eland.ml
enepa.cf
esmec.ml
gwdeuac.ml
gwpancon.ml
imperial.fit
kangwon.ml
kccworld.ml
kyungnam.ml
kyungnam.tk
kyungshin.ml
leeko.ml
maeil.ml
miraeasset.ml
naver.srl
nexaemc.ml
nh-amundi.ml
onestorecorp.ml
s-food.ml
samyang.ml
sejonggroup.ml
slworld.cf
sogang.ml
tlbu.ml
webnaver.srl
wonik.ml
yncc.ml
zdnet.ga
email.dongwon.ml
email.dongyang.ml
email.jnuac.ml
email.kecc.ml
email.koreapetroleum.ml
email.nepa.cf
ext.imperial.fit
gwmail.deuac.ml
gwmail.pancon.ml
mail.bkl-co.ml
mail.conm.ga
mail.covision.tk
mail.dongguk.ml
mail.eland.ml
mail.esmec.ml
mail.kangwon.ml
mail.kccworld.ml
mail.kyungnam.ml
mail.kyungnam.tk
mail.kyungshin.ml
mail.leeko.ml
mail.maeil.ml
mail.miraeasset.ml
mail.naver.srl
mail.nh-amundi.ml
mail.onestorecorp.ml
mail.s-food.ml
mail.samyang.ml
mail.sejonggroup.ml
mail.slworld.cf
mail.sogang.ml
mail.tlbu.ml
mail.wonik.ml
mail.yncc.ml
mail.zdnet.ga
nidlogin.naver.srl
nmail.exaemc.ml
webmail.naver.srl

# Reference: https://twitter.com/cyberwar_15/status/1345704290069876736

karist.cf
kaist-ac.xyz
krfa.ml
veryton.ml
kaist.krfa.ml
kaist-ac.xyz
mail.kaist-ac.xyz
vpn.karist.cf
app.veryton.ml

# Reference: https://twitter.com/h2jazi/status/1347225069890789376
# Reference: https://www.virustotal.com/gui/file/18ee06625f7bddadafa8c256d63a123f4e69d5488f88828052fd7803b3aa8b3b/detection

cwda.co.kr/theme/basic/skin/new/basic/update/

# Reference: https://twitter.com/AnonySecAgency/status/1350988738973884418
# Reference: https://www.virustotal.com/gui/file/fd740b70649f06269bf8fe2d0d4fdd87d99606a7a666c4f6a2fc89bee70b6649/detection

connectter.atwebpages.com

# Reference: https://twitter.com/cyberwar_15/status/1352117474943135745
# Reference: https://twitter.com/cyberwar_15/status/1352117964527423490
# Reference: https://www.virustotal.com/gui/ip-address/121.78.88.85/relations

attach.ddns.net
bigfile-naver.servepics.com
cafe-daum.ddns.net
naver.serveblog.net
naver.servehttp.com

# Reference: https://twitter.com/ShadowChasing1/status/1358713278390673408
# Reference: https://www.virustotal.com/gui/file/39bd6b689b02d6dee329131a51aa09301889faf5698eeac0d02aef0ba47cf024/detection
# Reference: https://www.virustotal.com/gui/file/a8820cc75cd580c8eda747931eb36f5943cece48ba720af9771cf16490a78aa6/detection

reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php

# Reference: https://twitter.com/ShadowChasing1/status/1362575412539183115
# Reference: https://www.virustotal.com/gui/file/115b9bf1c6f6040248dfa1a77044143dc318e3712ad613a022b4cced6007906f/detection

anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm

# Reference: https://twitter.com/AnonySecAgency/status/1366948179762024449
# Reference: https://www.virustotal.com/gui/file/73476d8ed35d6bbdaab3e7a17de7668af3860e994ac59107ecbe1aba7e40ace1/detection
# Reference: https://www.virustotal.com/gui/file/412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690/detection

monkey.funnystory.tech
seoul.lastpark.life

# Reference: https://twitter.com/ShadowChasing1/status/1368827485253627907
# Reference: https://www.virustotal.com/gui/file/e46887db62f3ee5583587531358e1b70cc8a171067fa4e1ae3e6693f7f9fc938/detection

koreacit.co.kr/skin/

# Reference: https://twitter.com/ShadowChasing1/status/1372464570183208961
# Reference: https://www.virustotal.com/gui/file/50d826640cc9ba66b789f0823f04308178b435f7eb39021bf7861061849f7efd/detection

inonix.co.kr/kor/board/widgets/mcontent/skins/tmp

# Reference: https://twitter.com/ShadowChasing1/status/1372537353311449091

waels.onlinewebshop.net/st/

# Reference: https://twitter.com/Xxx_8885/status/1373888922179170305
# Reference: https://twitter.com/Xxx_8885/status/1373889297414123521
# Reference: https://www.virustotal.com/gui/file/a030873cf5a9b8c76740a1ba9a4d28fc7acf4ce71ebebbe33a46be372f551004/detection
# Reference: https://www.virustotal.com/gui/file/a56163d758cd4a0a00e0991b7a4aecab35fdecb59df6d1821488826f8b37d7b9/detection
# Reference: https://www.virustotal.com/gui/file/e532685d362475dd3dec1aacedff87c7b32ec3573714a9f56ac87905fa13d66c/detection
# Reference: https://www.virustotal.com/gui/file/00bbab408dbc5c1a95143f75c282a74dddd5a87df533d7d198c1fc7eb2138269/detection
# Reference: https://www.virustotal.com/gui/file/a2465f753ff409cbd036cc0235704e3f49d9a52b8e4e2bc812428d7c8ea6f32b/detection

http://200.200.200.200/test/v.php
eucie091.myartsonline.com
eucie09111.myartsonline.com
ftcpark59.getenjoyment.net

# Reference: https://twitter.com/blackorbird/status/1377218251344633856
# Reference: https://twitter.com/RedDrip7/status/1377217232573321220

policy.webofknowledg.com
usamilitarysavings.webofknowledg.com
webofknowledg.com

# Reference: https://twitter.com/ShadowChasing1/status/1377841916948082689
# Reference: https://www.virustotal.com/gui/file/873b8fb97b4b0c6d7992f6af15653295788526def41f337c651dc64e8e4aeebd/detection
# Reference: https://www.virustotal.com/gui/file/4a1c43258fe0e3b75afc4e020b904910c94d9ba08fc1e3f3a99d188b56675211/detection

pcsecucheck.scienceontheweb.net

# Reference: https://twitter.com/ShadowChasing1/status/1377900770629099530
# Reference: https://www.virustotal.com/gui/file/3dd9628b3f92a1f8c340e546343c1c1448de94212a9c19e83cae661eba2d1b37/detection

beilksa.scienceontheweb.net

# Reference: https://twitter.com/mg2_tracy1/status/1379269472926638081
# Reference: https://www.virustotal.com/gui/file/b89e79ee9c4834177cbabba9b265910a6a55c7defd2863cc1699753dbfa342b8/detection

baboivan.scienceontheweb.net

# Reference: https://twitter.com/h2jazi/status/1380510153397637127
# Reference: https://www.virustotal.com/gui/file/e6f0d7e114c04017b07f321ba4df440ff55718ef451b1a3cb0f1c0856bd1c86e/detection

pc.ac-kr.esy.es

# Reference: https://twitter.com/ShadowChasing1/status/1382509560179531782
# Reference: https://www.virustotal.com/gui/file/e7fae41c0bd8d3d95253bd75dce99015599ecc404bd8d737cec305fc3e4dd018/detection

wbg0909.scienceontheweb.net

# Reference: https://twitter.com/AnonySecAgency/status/1383241650319683590
# Reference: https://www.virustotal.com/gui/file/92b9933f3477241ffd92d0f76ef0dcf46730209a1ecab7eceb399d540530799f/detection

cuinm.huikm.kro.kr

# Reference: https://twitter.com/HONKONE_K/status/1386152816545128450
# Reference: https://www.virustotal.com/gui/file/4252c0b130be39bf2258c84c436c17babfd650b6d665ac6c4e050f87fe34e46e/detection

pootball.medianewsonline.com

# Reference: https://twitter.com/ShadowChasing1/status/1388522768111656963
# Reference: https://www.virustotal.com/gui/file/f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8/detection

ikpoo.cf
onedrive-upload.ikpoo.cf

# Reference: https://twitter.com/ShadowChasing1/status/1388529890614341635
# Reference: https://www.virustotal.com/gui/file/2365a48f7d6cf6dcc83195f06ea11b93c955c3a491c60b50ba42788917ba22e2/detection

riseknite.life
download.riseknite.life

# Reference: https://mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w

travelmountain.ml
alps.travelmountain.ml

# Reference: https://twitter.com/h2jazi/status/1390734706103234561
# Reference: https://twitter.com/ShadowChasing1/status/1391620287024668679
# Reference: https://www.virustotal.com/gui/file/622cb6a772b0034f741aa58a50f1155a2a4240021c929d90fbed4182877fa579/detection
# Reference: https://www.virustotal.com/gui/file/2ed6b0e116a50ee9be7ac74b7be0e73ac4aeb15ddb9b42a1db5bcfba4dccdead/detection

mechapia.com/_admin/nicerlnm/web/style/list.php
mechapia.com/_admin/nicerlnm/web/style/css/

# Reference: https://twitter.com/ShadowChasing1/status/1391618560753999872
# Reference: https://twitter.com/ShadowChasing1/status/1391622743146188800
# Reference: https://www.virustotal.com/gui/file/2365a48f7d6cf6dcc83195f06ea11b93c955c3a491c60b50ba42788917ba22e2/detection
# Reference: https://www.virustotal.com/gui/file/fa4d05e42778581d931f07bb213389f8e885f3c779b9b465ce177dd8750065e2/detection
# Reference: https://www.virustotal.com/gui/file/2c796053053a571e9f913fd5bae3bb45e27a9f510eace944af4b331e802a4ba0/detection

chollian.ml
daom.ml
daum-accounts.cf
gmail-account.gq
gmrail.ml
grnail-login.ml
kisa-security.cf
letterpaper.press
live-sign.ml
natesec-page.ml
naver-security.cf
navor.ml
pcjindustries.com
riseknite.life
secure-dm.tk
seoul-kor.ml
seoul-kor.tk
travelmountain.ml
alps.travelmountain.ml
check.kisa-security.cf
download.riseknite.life
login.daum-accounts.cf
login.gmail-account.gq
login.live-sign.ml
login.natesec-page.ml
login.secure-dm.tk
logins.daom.ml
logins.daum-accounts.cf
new.seoul-kor.ml
nid-nav.navor.ml
nids.naver-security.cf
nids.navor.ml
outlook.seoul-kor.tk
signin.chollian.ml
signin.gmrail.ml
signin.grnail-login.ml
texts.letterpaper.press
webmail.pcjindustries.com

# Reference: https://twitter.com/sS55752750/status/1391765099992453125

flagguarder.site
glow.flagguarder.site

# Reference: https://twitter.com/h2jazi/status/1392128092840284164
# Reference: https://www.virustotal.com/gui/file/85847cad7f57db4534634d51f7e2c74a23719fcf74c891872d98e7c921f0fd56/detection

rukagu.mypressonline.com

# Reference: https://twitter.com/cyberwar_15/status/1392376928624013312

daum-attach.ddns.net

# Reference: https://twitter.com/ShadowChasing1/status/1392284742163206146

yes24-mart.pe.hu

# Reference: https://twitter.com/ShadowChasing1/status/1394911946118295553
# Reference: https://twitter.com/ShadowChasing1/status/1394911948353859585
# Reference: https://www.virustotal.com/gui/file/9ba5266d806df037acb1144836c21b70c5fc0aa6820d2ce07ee28accdff6c9bf/detection

follcdn.myartsonline.com
sima.atspace.tv

# Reference: https://twitter.com/ShadowChasing1/status/1395684553507840003

yanggucam.designsoup.co.kr/user/views/board/skin/secret/css/list.php

# Reference: https://twitter.com/h2jazi/status/1395782753765974023

samsoding.homm7.gethompy.com/plugins/dropzone/min/css/list.php

# Reference: https://twitter.com/m0br3v/status/1399637361697378306
# Reference: https://twitter.com/ShadowChasing1/status/1399753970839547910
# Reference: https://www.virustotal.com/gui/file/fe1a734019f0dc714bd3360e2369853ea97c02f108afe963769318934470967b/detection

at-me.ml
kt1kreate.cf
ahn-lab.cf
snubh.r-e.kr
shore.ml
snu-h.ml
kumb.cf
naver-login.cf
naver-check.ml
snuh.r-e.kr
app.at-me.ml
sms.kt1kreate.cf
v3.ahn-lab.cf
mail.snubh.r-e.kr
anto.shore.ml
smtp.snu-h.ml
mail.kumb.cf
help.naver-login.cf
mail.naver-check.ml
mail.snuh.r-e.kr

# Reference: https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
# Reference: https://otx.alienvault.com/pulse/60b66cda1f2d210aa677cfbe

gmail-account.gq
gmrail.ml
goggle.hol.es
googgle.kro.kr
google-manager.ga
google-signin.ga
grnail-login.ml
grnail-signin.ga
grnail-signing.work
ikpoo.cf
kr-infos.com
letterpaper.press
microsoft-office.us
mygoogle-signin.ga
mygrnail-security.work
mygrnail-signin.ga
mygrnail-signing.work
riseknite.life
travelmountain.ml
account.googgle.kro.kr
account.grnail-signin.ga
accounts.goggle.hol.es
accounts.google-manager.ga
accounts.google-signin.ga
accounts.grnail-signin.ga
accounts.grnail-signing.work
alps.travelmountain.ml
download.riseknite.life
login.gmail-account.gq
login.gmeil.kro.kr
myaccount.google-signin.ga
myaccount.google.newkda.com
myaccount.google.nkaac.net
myaccount.grnail-security.work
myaccount.grnail-signin.ga
myaccount.grnail-signing.work
myaccounts-gmail.autho.co
myaccounts-gmail.kr-infos.com
myaccounts.grnail-signin.ga
ns1.microsoft-office.us
ns2.microsoft-office.us
onedrive-upload.ikpoo.cf
protect.grnail-signin.ga
signin.gmrail.ml
signin.grnail-login.ml
texts.letterpaper.press
wscript.shell.run

# Reference: https://twitter.com/360CoreSec/status/1401863232835383302
# Reference: https://www.virustotal.com/gui/file/811b42bb169f02d1b0b3527e2ca6c00630bebd676b235cd4e391e9e595f9dfa8/detection

alyssalove.getenjoyment.net
smyun0272.blogspot.com

# Reference: https://twitter.com/ShadowChasing1/status/1402239834819743746
# Reference: https://www.virustotal.com/gui/file/934731692b12fd182acbc698dd3f8ef59984aa4e7ef56e124f9851852878817e/detection

manct.atwebpages.com

# Reference: https://twitter.com/h2jazi/status/1402267704610988033
# Reference: https://www.virustotal.com/gui/file/c362b4cb60edfa5bf17123845e59311335b03139d77ec27b9a9ffb7b31e60154/detection

quarez.atwebpages.com

# Reference: https://twitter.com/arphanetx/status/1403765541739941889
# Reference: https://www.virustotal.com/gui/file/9dac6553b89645ac8d9e0a3dc877d12641e6d05fb52e8de6ae5533b2bdf0abc9/detection

pollor.p-e.kr

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/Kimsuky%20APT%20Group%20targeted%20on%20South%20Korean%20defense%20and%20security%20departments.pdf

amikbvx.cf
at-me.ml
atooi.ga
bnmvg.cf
daum-or.ml
daum-vpn.ml
daums.cf
dmaccount.ml
gommi.ml
kakaoo.ml
kititi.ga
kumb.cf
may3.cf
nate-on.ml
nate-or.ga
naver-check.ml
onehappy.ml
outlookin.ml
pamik.cf
shore.ml
uhuioo.cf
wowow.ga
xdtgh.ga
yes24-mart.pe.hu
admin.daum-or.ml
anto.shore.ml
ao.nate-on.ml
app.at-me.ml
app.gommi.ml
apple.may3.cf
auth.daum-or.ml
dnhji.bnmvg.cf
exchange.amikbvx.cf
gate.uhuioo.cf
gom.kititi.ga
helper.onehappy.ml
imap.pamik.cf
mail.daums.cf
mail.dmaccount.ml
mail.kakaoo.ml
mail.kumb.cf
mail.naver-check.ml
mail.outlookin.ml
mail3.nate-or.ga
member.dmaccount.ml
members.daum-vpn.ml
owo.owo.wowow.ga
qygbn.xdtgh.ga
vpn.atooi.ga

# Reference: https://twitter.com/fuuuing_/status/1393102998532886531

fabre.myartsonline.com

# Reference: https://twitter.com/TeamT5_Official/status/1410206100033400838
# Reference: https://biz.chosun.com/policy/politics/2021/06/18/V4DTFCEXPRA4DFCBVVJO3DPR5I/ (Korean)
# Reference: https://www.virustotal.com/gui/ip-address/27.102.106.48/relations
# Reference: https://www.virustotal.com/gui/ip-address/27.102.107.63/relations
# Reference: https://www.virustotal.com/gui/ip-address/27.102.112.49/relations
# Reference: https://www.virustotal.com/gui/ip-address/27.102.114.89/relations

boryung.tk
cdaum.kro.kr
celltrion.ml
cimoon.ml
claum.ml
cloudmall.club
cnaver.kro.kr
csdaum.ga
dongguk.kro.kr
home-info.ml
jbnu.info
jbnu.ml
lottebp.ga
minia.ml
naver-in.ml
nhnems.nsec.kro.kr
nidcorp.n-e.kr
novavax.ml
nsec.nhnems.kro.kr
nsuites.ga
pagelock.host
uni-korea.ga
uni-tuebingen.buzz
uni-tuebingen.cf
xonate.kro.kr
admin.claum.ml
admin.naver-in.ml
alarm.naver-in.ml
aol.pagelock.host
app.seoul.minia.ml
celltrion.cloudmall.club
daum.home-info.ml
exchange.uni-tuebingen.buzz
exchange.uni-tuebingen.cf
helper.uni-korea.ga
home.xonate.kro.kr
its.jbnu.ml
mail.celltrion.ml
mail.naver-in.ml
mail.novavax.ml
manager.naver-in.ml
member.cdaum.kro.kr
member.csdaum.ga
member.daum.home-info.ml
member.dongguk.kro.kr
myinfo.cnaver.kro.kr
nhn.nsuites.ga
nhnems.nsec.kro.kr
nid.naver.home-info.ml
nidcorp.nsuites.ga
nidlogin.nidcorp.n-e.kr
nsec.nhnems.kro.kr
onedrive-upload.ikpoo.cf
onedrive.ikpoo.cf
user.lottebp.ga
user.naver-in.ml

# Reference: https://twitter.com/ShadowChasing1/status/1410887216956547076

atooi.ga
gommi.ml
kumb.cf
onono.ml
uhuioo.cf
app.gommi.ml
gate.uhuioo.cf
mail.kumb.cf
vpn.atooi.ga
go.onono.ml

# Reference: https://twitter.com/h2jazi/status/1411826239455760387
# Reference: https://www.virustotal.com/gui/file/79848ca15ec49057261b6ba52275692d131b8dd034ae9a4cca1e1b81d9e18b77/detection

chels.mypressonline.com

# Reference: https://twitter.com/k3yp0d/status/1415652277914939393

tbear.mypressonline.com

# Reference: https://twitter.com/higefox/status/1411884786323361792
# Reference: https://asec.ahnlab.com/ko/24834/
# Reference: https://asec.ahnlab.com/ko/25351/
# Reference: https://otx.alienvault.com/pulse/60f125c78978e02a40e00c85

benze.atwebpages.com
btige.myartsonline.com
ccav.myartsonline.com
chels.mypressonline.com
giruz.atwebpages.com
jupit.getenjoyment.net
lieon.mypressonline.com
lovel.myartsonline.com
lovels.myartsonline.com
mantc.getenjoyment.net
modri.myartsonline.com
obser.mygamesonline.org
ranso.myartsonline.com
rster.atwebpages.com
stair.atwebpages.com
stair.myartsonline.com
vbqwer.mypressonline.com
visul.myartsonline.com
warcr.onlinewebshop.net

# Reference: https://twitter.com/h2jazi/status/1417093562278240256
# Reference: https://www.virustotal.com/gui/file/d3138e7b0dcf5e916834b045c1b006a1cd223dca75626bd1354b47dbd0c63ae2/detection

1213rt.atwebpages.com

# Reference: https://twitter.com/fuuuing_/status/1417426427528417283

kimshan600000.blogspot.com

# Reference: https://mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ
# Reference: https://otx.alienvault.com/pulse/60ffcd56a7dc0038376fe52e

worldinfocontact.club
alyssalove.getenjoyment.net
hanlight.mygamesonline.org
kr2959.atwebpages.com
majar.medianewsonline.com
samsoding.homm7.gethompy.com
anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm
beilksa.scienceontheweb.net/cookie/select/log/tmp
beilksa.scienceontheweb.net/cookie/select/log/list.php
cwda.co.kr/theme/basic/skin/new/basic/update/Normal.dotm
cwda.co.kr/theme/basic/skin/new/basic/update/list.php
heritage2020.cafe24.com/plugin/kcpcert/bin/list.php
inonix.co.kr/kor/board/widgets/mcontent/skins/tmp
inonix.co.kr/kor/page/product/_notes/list.php
inonix.co.kr/kor/page/product/_notes/tmp/
koreacit.co.kr/skin/new/basic/update/temp
mechapia.com/_admin/nicerlnm/web/style/list.php
miracle.designsoup.co.kr/user/views/resort/controller/css/update/list.php
nuclearpolicy101.org/wp-admin/includes/0421/d.php
reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php
yanggucam.designsoup.co.kr/user/views/board/skin/secret/css/list.php

# Reference: https://twitter.com/360CoreSec/status/1423561133873537024
# Reference: https://www.virustotal.com/gui/file/cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210895d2aeb577/detection

rhwkdlaktm.atwebpages.com

# Reference: https://twitter.com/ShadowChasing1/status/1446270087506194432
# Reference: https://www.virustotal.com/gui/file/82067ef8b907888f9fc27dd0630c37c95b0a55a7c225fb2d693115c41c7dd5be/detection

greatname.000webhostapp.com

# Reference: https://twitter.com/ShadowChasing1/status/1446278566564433939
# Reference: https://www.virustotal.com/gui/file/32beeda8cffc2ecc689ea2529194cf806955879a334ec68176864d1e6c09800c

youtoboo.kro.kr
movie.youtoboo.kro.kr

# Reference: https://twitter.com/ShadowChasing1/status/1446272122058280963

navercheck.kro.kr
nidlogin.navercheck.kro.kr

# Reference: https://twitter.com/ShadowChasing1/status/1446271028481593365
# Reference: https://www.virustotal.com/gui/file/db88dc539bccce8c30e3ba6897171989c9a340f23075c614f3c5a73ae0160db1

tigerwood.tech
ppahjcz.tigerwood.tech

# Reference: https://twitter.com/ShadowChasing1/status/1446270634690895872
# Reference: https://www.virustotal.com/gui/file/324b2e2c0471e49c7cc07725a7d748041479714d265ec6dbf386edd3f619f03c

requests.p-e.kr
ping.requests.p-e.kr

# Reference: https://twitter.com/ShadowChasing1/status/1446269684072914946
# Reference: https://www.virustotal.com/gui/file/8e263345cfeda4eb6720c47d4eaaee236be294fda693d840199f221d6e1412c6

beast.16mb.com

# Reference: https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

44179d6df22c56f339bf.blogspot.com
4b758c2e938d65bee050.blogspot.com
akf4tvrbmg.blogspot.com
amfuz2h5b2s.blogspot.com
gyzang0826.blogspot.com
gyzang1.blogspot.com
gyzang58.blogspot.com
gyzang681.blogspot.com
gyzang682.blogspot.com
kimshan600000.blogspot.com
pjeu1urxdnvef6twpveg.blogspot.com
rrmu1qrxdoekv6twc9pq.blogspot.com
smyun0272.blogspot.com
tvrbmkxqstbouzq0twk0ee9uaz0.blogspot.com
tvrfekxqrtvpqzr5tvrfdu5evt0.blogspot.com
tvrfeuxqrtfnqzr4t0m0ee5utt0.blogspot.com
twpbekxqsxpoqzr4txpvdu1uyzu.blogspot.com
vev4tkrrpq.blogspot.com
vgn5tvrrpq.blogspot.com
vgt5tvrnpq.blogspot.com
o61666ch.getenjoyment.net
t22a44es.atwebpages.com
t22a44es.atwebpages.com
byun70kh.mygamesonline.org

# APK

/Kisa%20Vaccine.apk
/KisaAndroidSecurity.apk