# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: Black Banshee, Velvet Chollima # Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78 # Reference: https://blog.alyac.co.kr/2209 (Korean) maii-daum-net.atwebpages.com nate-on.bug3.com hanmail.membercp.net korea.getenjoyment.net mail.membercp.net /itsme.daum # Reference: https://twitter.com/blackorbird/status/1086970613552447489 safe-naver-mail.pe.hu # Reference: https://twitter.com/blackorbird/status/1113318554563076096 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403 # Reference: https://blog.alyac.co.kr/2234 (Korean) tcjst.com # Reference: https://twitter.com/blackorbird/status/1118334122592591872 # Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf # Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations # Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24 http://192.186.142.74 192.186.142.74:81 seoulhobi.biz # Reference: https://twitter.com/RedDrip7/status/1133268937808859136 lovemoney.mypressonline.com # Reference: https://blog.alyac.co.kr/2336 (Korean) # Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6 hellojames.sportsontheweb.net # Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/) /expres.php # Reference: https://blog.alyac.co.kr/2347 (Korean) # Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db http://202.168.155.156 carolie-svr-v1.16mb.com my-homework.890m.com naver-security-mail.96.lt oeks39402.890m.com filer1.1apps.com filer2.1apps.com kuku675.site11.com kuku79.herobo.com # Reference: https://blog.alyac.co.kr/2389 (Korean) # Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8 atene.myartsonline.com hellojames.sportsontheweb.net nid2-naver-com.medianewsonline.com smalldeal.mypressonline.com # Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks # Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208 # Reference: https://twitter.com/blackorbird/status/1164370375490228224 alone-service.work app-support.work check-up.work com-main.work doc-view.work login-confirm.work member-service.work minner.work short-line.work sub-state.work web-line.work # Reference: https://twitter.com/cyberwar_15/status/1166592637371060226 rnailr.com # Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf # Reference: https://otx.alienvault.com/pulse/5d6d754babe6ca295f94cb1b accounted.top acounts.work ahooc.com alive-user.work alone-service.work app-house.online app-main.site app-support.site app-support.work check-line.site check-operation.site check-up.work client-mobile.work confirm-main.work dounn.net dovvn-mail.com drog-service.com eposcard.co first-state.work gstaticstorage.com heehorse.com hotrnall.co imap-login.com inbox-mail.work inbox-yahoo.com lh-login.com lh-logs.com lh-yahoo.com local-link.work log-yahoo.com login-confirm.site login-confirm.work login-history.pw login-sec.com login-use.com login-yahoo.info logins-yahoo.com mail-down.com mail-inc.work mail-service.win mailseco.com main-line.work main-service.site main-support.work matmiho.com member-service.work message-inbox.work minner.work mobile-device.site mobile-phone.work myprivacy.work net-policies.work old-version.work online-support.work open-auth.work options.work page-view.work phlogin.com profile-setting.work protect-com.work protect-mail.work protect-main.site retry-confirm.com script-main.site sec-line.work sec-live.com set-login.com setting-main.work share-check.site short-line.work sign-in.work srnbc-card.com user-account.link user-accounts.net user-service.link user-service.work viewetherwallet.com wallet-vahoo.com weak-online.work web-info.work web-mind.work web-online.work web-rain.work web-state.work web-store.work yah00.work yrnall.com # Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901 # Reference: https://blog.alyac.co.kr/2538 (Korean) # Reference: https://otx.alienvault.com/pulse/5d8dd05bac456c1dade338df joelwisian.com reunionhomesok.com # Reference: https://twitter.com/blackorbird/status/1178497550938034177 eoplus.co.kr/board/pressed/ eoplus.co.kr/board/presset/ # Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf # Reference: https://otx.alienvault.com/pulse/5d9f541a43c2babf60994786 c-naver.com daum-center.net rrnaver.com udaum.net account-google.member-authorize.com user-manage-center.hol.es user-daum-center.pe.hu user-protect-center.pe.hu naiei-aldiel.16mb.com nid-protect-team.pe.hu nid-management-team.890m.com oeks39402.890m.com vkcxvkweo.96.lt # Reference: https://otx.alienvault.com/pulse/5dac36de0d5134df36b16666 clouds.scienceontheweb.net # Reference: https://twitter.com/spider_girl22/status/1191306963369353216 online---shop.atwebpages.com # Reference: https://blog.alyac.co.kr/2645 (Korean) # Reference: https://otx.alienvault.com/pulse/5de68f93fc4d8a6303a7598b member-view-center.esy.es primary-help.esy.es ago2.co.kr/bbs/data/dir/F.php antichrist.or.kr/data/cheditor/dir1/F.php gyjmc.com/board/data/cheditor/dir1/F.php # Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b antichrist.or.kr/data/cheditor/dir1/lyric64 batgalim.org.il/facebook/Facebook/Entities/ppp/encoding.png jonashartley.com/hilaryolsen/wp-includes/images/crystal/1122/upload.php jonashartley.com/hilaryolsen/wp-admin/network/run.php jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/res.php jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/expres.php jonashartley.com/hilaryolsen/wp-includes/customize/1111/res.php jonashartley.com/hilaryolsen/wp-includes/customize/1111/expres.php happy-new-year.esy.es safe-naver-mail.pe.hu # Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf # Reference: https://otx.alienvault.com/pulse/5e42fd9c9fa37be52610c5c5 accounting-microsofft.epizy.com csdaum-help.esy.es daum-account-login.esy.es daum-account-login.esy.esoeks39402.890m.com daum-account-signin.pe.hu daum-login-protect.hol.es daum-setting.hol.es daum-stting.hol.es daumlogin.esy.es gyjmc.com mail-customer-safety-center.hol.es mail-kinu.hol.es mail-naver-protect.hol.es mail.naver.comuf.com member-authorize.com member-daum-regist.hol.es member-view-center.esy.es memver-view-center.esy.es nager-relogin-security.96.lt naiei-ldel.16mb.com naver-password.esy.es naver-security-mail.96.lt naverhelp.esy.es naverkorea.esy.es naverlogin.esy.es nid-mail.pe.hu nid-management-team.890m.com nid-protect-team.pe.hu primary-help.esy.es protect-yahoo-teeam.000webhostapp.com security-mail-daum.000webhostapp.com snu-mail-ac-kr.esy.es suppcrt-seourity.esy.es uefa2018.000webhostapp.com user-daum-center.pe.hu user-management-center.hol.es user-protect-center.pe.hu vkcxvkweo.96.lt webrnail-kinu.hol.es # Reference: https://twitter.com/anyrun_app/status/1115513990711521280 # Reference: https://www.virustotal.com/gui/file/540336c5e61d589776e267eed14eac835720b4484312434ce4f27adfec8bf817/detection 185.224.137.164:21 # Reference: https://twitter.com/cyberwar_15/status/1227709181605613569 happy-boy.pe.hu # Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html # Reference: https://otx.alienvault.com/pulse/5e4c19894aad216887c8cb3d ago2.co.kr/bbs/data/tmp aiyac-updaite.hol.es daum-center.net embed-helper.esy.es er-manage-center.hol.es finale-jack.esy.es kakao-check.esy.es my-homework.890m.com naver-mail-com.hol.es nid-protect-team.pe.hu nid-yyanagemeniteam.890m.com nortice-centre.esy.es oeks39402.890m.com rrnaver.com simple-hick.esy.es suppcrt-seourity.esy.es udaum.net upgradesrv.890m.com user-daum-center.pe.hu user-manage-cenier.nol.es user-protect-center.pe.hu # Reference: https://twitter.com/cyberwar_15/status/1230093739554557953 pingball.mygamesonline.org # Reference: https://twitter.com/spider_girl22/status/1233198285747154944 # Reference: https://twitter.com/cyberwar_15/status/1241591674255446016 # Reference: https://app.any.run/tasks/f4172853-90e6-49ad-be7b-bf6efa771448/ nagoya.datastore.pe.hu suzuki.datastore.pe.hu toyota.datastore.pe.hu # Reference: https://blog.alyac.co.kr/2737 (Korean) mernberinfo.tech # Reference: https://twitter.com/cyberwar_15/status/1232989735011794945 # Reference: https://www.virustotal.com/gui/file/2cd5f1852ac6d3ed481394ea0abc49f16789c12fb81bcdf9988762730fb0aa8f/detection # Reference: https://twitter.com/spider_girl22/status/1234761655214493697 # Reference: https://twitter.com/cyberwar_15/status/1240677656451899394 # Reference: https://twitter.com/Timele9527/status/1240620534468997125 all200.mireene.com crphone.mireene.com jmable.mireene.com jmdesign.mireene.com nhpurumy.mireene.com orblog.mireene.com sgmedia.mireene.com vnext.mireene.com # Reference: https://twitter.com/Timele9527/status/1240123132419223554 mybobo.mygamesonline.org # Reference: https://twitter.com/DeadlyLynn/status/1245264426321600513 saemaeul.mireene.com # Reference: https://twitter.com/AnonySecAgency/status/1250605504520318977 rolls-royce-love.890m.com # Reference: https://twitter.com/VK_Intel/status/1257243399742251010 upload.bigfile.hol.es # Reference: https://twitter.com/AnonySecAgency/status/1263047043150299136 gotoclean.com.co ricefarm.kr/bbs/st/expres.php # Reference: https://twitter.com/cyberwar_15/status/1266553918454067201 # Reference: https://www.rfa.org/korean/in_focus/nkhacking-05292020160533.html (Korean) com-download.work # Reference: https://twitter.com/cyberwar_15/status/1268073043365990401 part.bigfile.pe.hu # Reference: https://blog.alyac.co.kr/3033 (Korean) # Reference: https://otx.alienvault.com/pulse/5ed7c80f673c40df00c52fa6 boaz.kr/skin/member/basic/css/cross.php boaz.kr/skin/member/basic/css/report.php boaz.kr/skin/member/log/cross.php boaz.kr/skin/member/log/pre.hta boaz.kr/skin/member/log/report.php boaz.kr/skin/member/log/suf.hta # Reference: https://twitter.com/XOR_Hex/status/1273023258535886848 dept-dp.lab.hol.es # Reference: https://twitter.com/cyberwar_15/status/1273435333430935552 gbxhd.org-help.com # Reference: https://twitter.com/ccxsaber/status/1273804166612135940 security-confirm.bmail-org.com # Reference: https://twitter.com/ShadowChasing1/status/1274724519803043852 finalist.org-help.com # Reference: https://twitter.com/cyberwar_15/status/1275368364819410950 foxhunter.getenjoyment.net korea.getenjoyment.net pootball.getenjoyment.net # Reference: https://twitter.com/DeadlyLynn/status/1275998401524424704 attachchosun.atwebpages.com # Reference: https://twitter.com/ccxsaber/status/1278941222166380545 lovelovelove.atwebpages.com # Reference: https://twitter.com/DeadlyLynn/status/1281840956170317824 bascetball.atwebpages.com # Reference: https://twitter.com/cyberoverdrive/status/1285955528770891776 # Reference: https://www.virustotal.com/gui/file/4fae9a942aafddc8ee21a753302cec3c5273d3f71e132f176cb799dd922e30ac/detection pingguo5.atwebpages.com # Reference: https://app.any.run/tasks/74d55d02-7bbd-444c-a01b-30ac52a7e576/ foxonline123.atwebpages.com # Reference: https://twitter.com/cyberwar_15/status/1296301860312084482 jongjin.000webhostapp.com # Reference: https://twitter.com/DeadlyLynn/status/1299970605043707905 # Reference: https://www.virustotal.com/gui/file/4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f/detection portable.epizy.com # Reference: https://otx.alienvault.com/pulse/5f737caa710907613c4d2773 account-protect.work account-viewer.work com-active.work com-download.work com-option.work com-ssl.work com-sslnet.work com-vps.work default.tokyo desk-top.work doc-view.pw dorey.work dutaley.work exiweng.work idiolos.work intemet.work jp-sec.pw jp-ssl.work kinac.work net-sec.pw org-view.pw org-view.work org-vip.work org-vps.work poulsen.work robezo.work rtyuio.work sslport.work sslserver.work ssltop.work taplist.work tlsmain.work unrepong.work verdall.xyz vpstop.work webmain.work # Reference: https://twitter.com/cyberwar_15/status/1313175039307476993 daumcleaner.mywebcommunity.org naver.mywebcommunity.org workcrafter.mywebcommunity.org # Reference: https://twitter.com/DeadlyLynn/status/1314181830162083841 # Reference: https://www.virustotal.com/gui/file/363386c4caa5a995d3ca9345520c90942d5d3e1aaf8056831348f92eb73c15db/detection goldbin.myartsonline.com # Reference: https://twitter.com/vigilantbeluga/status/1315720089316941824 # Reference: https://twitter.com/vigilantbeluga/status/1315722308703543297 hdac-wallet.com kasse-v1.hdac-wallet.com update.hdac-tech.com wallet.hdac-tech.com # Reference: https://twitter.com/vigilantbeluga/status/1255002262256025600 # Reference: https://www.virustotal.com/gui/file/3110f00c1c48bbba24931042657a21c55e9a07d2ef315c2eae0a422234623194/detection general-second.org-help.com # Reference: https://us-cert.cisa.gov/ncas/alerts/aa20-301a # Reference: https://otx.alienvault.com/pulse/5f9856f8655cfd07338c8e83 account.daum.unikftc.kr account.daum.unikortv.com account.daurn.pe.hu amberalexander.ghtdev.com beyondparallel.sslport.work bigfile.pe.hu cdaum.pe.hu cloudmail.cloud cloudnaver.com coinone.co.in com-download.work com-option.work com-ssl.work com-sslnet.work com-vps.work comment.poulsen.work cooper.center csnaver.com daum.net.pl daum.unikortv.com daurn.org daurn.pe.hu demand.poulsen.work dept-dr.lab.hol.es downloadman06.com dubai-1.com eastsea.or.kr gloole.net help-navers.com help.unikoreas.kr helpnaver.com hogy.desk-top.work impression.poulsen.work intemet.work intranet.ohchr.account-protect.work jonga.ml jp-ssl.work kooo.gq loadmanager07.com login.bignaver.com login.daum.kcrct.ml login.daum.net-accounts.info login.daum.unikortv.com login.outlook.kcrct.ml mail.unifsc.com mailsnaver.com member-authorize.com member.daum.uniex.kr member.daum.unikortv.com member.navier.pe.hu msdatl3.inc msolui80.inc myaccount.nkaac.net myaccounts.gmail.kr-infos.com myetherwallet.co.in myetherwallet.com.mx naver.co.in naver.com.cm naver.com.de naver.com.ec naver.com.mx naver.com.pl naver.com.se naver.cx naver.hol.es naver.koreagov.com naver.onegov.com naver.pw naver.unibok.kr naverdns.co net.tm.ro nid.naver.com.se nid.naver.corper.be nid.naver.onektx.com nid.naver.unibok.kr nid.naver.unicrefia.com nidlogin.naver.corper.be nidnaver.email nidnaver.net ns.onekorea.me nytimes.onekma.com org-vip.work preview.manage.org-view.work pro-navor.com read-hanmail.net read-naver.com read.tongilmoney.com resetprofile.com resultview.com riaver.site sankei.sslport.work securetymail.com servicenidnaver.com smtper.cz smtper.org sslserver.work ssltop.work statement.poulsen.work sts.desk-top.work taplist.work tiosuaking.com top.naver.onekda.com usernaver.com view-hanmail.net view-naver.com vilene.desk-top.work vpstop.work webmain.work webuserinfo.com ww-naver.com # Reference: https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite # Reference: https://www.cyberscoop.com/north-korea-espionage-kimsuky-cybereason/ # Reference: https://otx.alienvault.com/pulse/5fa029ed2e8d9de384c74f26 csv.posadadesantiago.com/home/up.php?id= csv.posadadesantiago.com/home?act=news&id= csv.posadadesantiago.com/home?id= myaccounts.posadadesantiago.com/test/Update.php?wShell= wave.posadadesantiago.com/home/dwn.php?van= # Reference: https://blog.alyac.co.kr/3352 # Reference: https://otx.alienvault.com/pulse/5fa1bb282c5efd7327b229a6 xeoskin.co.kr/wp/wp-includes/SimplePie/Net/ # Reference: https://twitter.com/cyberwar_15/status/1327040440189607936 # Reference: https://twitter.com/cyberwar_15/status/1327045373781635072 # Reference: https://twitter.com/cyberwar_15/status/1327403605825970176 # Reference: https://twitter.com/cyberwar_15/status/1327403626118094848 accountcheck.net app.veryton.ml appmedicine.whoint.cf astrozeneca.ml bidmc.accountcheck.net daumi.club daurn.ga dup.photo.oiiio.ga email-hanwha.pe.hu genexine.member-info.net jnj.accountcheck.net kaist.r-naver.com kari.gq kimm.r-naver.com krnvc.ga logins.daumi.club logins.daurn.ga love.krnvc.ga mail.astrozeneca.ml member-info.net oiiio.ga on.color.oiiio.ga r-naver.com shinpoong.accountcheck.net shinpoong.r-naver.com shkj.hol.es veryton.ml webmail.kari.gq whoint.cf # Reference: https://twitter.com/RedDrip7/status/1329628989699235840 # Reference: https://otx.alienvault.com/pulse/5fb804ac581df7fe4f35bfd6 # Reference: https://www.virustotal.com/gui/file/9365ce79a51768a398cc22ec701d5f256de827fbefed283c933dea4052d66027/detection pelebra.atwebpages.com # Reference: https://twitter.com/jfslowik/status/1330611004456067073 asia-studies.net itamaraty.net midsecurity.org netsecurityservice.com securitycounci1report.org # Reference: https://twitter.com/cyberwar_15/status/1332300116179312640 bidmc.accountcheck.net genexine.member-info.net jnj.accountcheck.net shinpoong.accountcheck.net shinpoong.r-naver.com # Reference: https://twitter.com/cyberwar_15/status/1333181928606814211 daumusercenter.web.app # Reference: https://twitter.com/cyberwar_15/status/1333767468473487363 autoway.huyndai.ml huyndai.ml # Reference: https://twitter.com/Timele9527/status/1333971180290592769 documentserver.site # Reference: https://twitter.com/h2jazi/status/1339226171272286209 # Reference: https://blog.alyac.co.kr/3458 (Korean) # Reference: https://otx.alienvault.com/pulse/5fdbc57a744937101f4f9adc hahae.co.kr/new3/ISAF/Libs/php/cross.php # Reference: https://twitter.com/RedDrip7/status/1336258913323216896 # Reference: https://www.virustotal.com/gui/file/1909010c264328edaf24cc2804d4f046aabd3c59de45e1d295d4155eb466d753/detection price365.co.kr/abbi/json/ps/aa.php # Reference: https://twitter.com/cyberwar_15/status/1343610577894088704 # Reference: https://www.virustotal.com/gui/ip-address/27.255.79.204/relations bkl-co.ml conm.ga covision.tk dongguk.ml edongwon.ml edongyang.ml ejnuac.ml ekecc.ml ekoreapetroleum.ml eland.ml enepa.cf esmec.ml gwdeuac.ml gwpancon.ml imperial.fit kangwon.ml kccworld.ml kyungnam.ml kyungnam.tk kyungshin.ml leeko.ml maeil.ml miraeasset.ml naver.srl nexaemc.ml nh-amundi.ml onestorecorp.ml s-food.ml samyang.ml sejonggroup.ml slworld.cf sogang.ml tlbu.ml webnaver.srl wonik.ml yncc.ml zdnet.ga email.dongwon.ml email.dongyang.ml email.jnuac.ml email.kecc.ml email.koreapetroleum.ml email.nepa.cf ext.imperial.fit gwmail.deuac.ml gwmail.pancon.ml mail.bkl-co.ml mail.conm.ga mail.covision.tk mail.dongguk.ml mail.eland.ml mail.esmec.ml mail.kangwon.ml mail.kccworld.ml mail.kyungnam.ml mail.kyungnam.tk mail.kyungshin.ml mail.leeko.ml mail.maeil.ml mail.miraeasset.ml mail.naver.srl mail.nh-amundi.ml mail.onestorecorp.ml mail.s-food.ml mail.samyang.ml mail.sejonggroup.ml mail.slworld.cf mail.sogang.ml mail.tlbu.ml mail.wonik.ml mail.yncc.ml mail.zdnet.ga nidlogin.naver.srl nmail.exaemc.ml webmail.naver.srl # Reference: https://twitter.com/cyberwar_15/status/1345704290069876736 karist.cf kaist-ac.xyz krfa.ml veryton.ml kaist.krfa.ml kaist-ac.xyz mail.kaist-ac.xyz vpn.karist.cf app.veryton.ml # Reference: https://twitter.com/h2jazi/status/1347225069890789376 # Reference: https://www.virustotal.com/gui/file/18ee06625f7bddadafa8c256d63a123f4e69d5488f88828052fd7803b3aa8b3b/detection cwda.co.kr/theme/basic/skin/new/basic/update/ # Reference: https://twitter.com/AnonySecAgency/status/1350988738973884418 # Reference: https://www.virustotal.com/gui/file/fd740b70649f06269bf8fe2d0d4fdd87d99606a7a666c4f6a2fc89bee70b6649/detection connectter.atwebpages.com # Reference: https://twitter.com/cyberwar_15/status/1352117474943135745 # Reference: https://twitter.com/cyberwar_15/status/1352117964527423490 # Reference: https://www.virustotal.com/gui/ip-address/121.78.88.85/relations attach.ddns.net bigfile-naver.servepics.com cafe-daum.ddns.net naver.serveblog.net naver.servehttp.com # Reference: https://twitter.com/ShadowChasing1/status/1358713278390673408 # Reference: https://www.virustotal.com/gui/file/39bd6b689b02d6dee329131a51aa09301889faf5698eeac0d02aef0ba47cf024/detection # Reference: https://www.virustotal.com/gui/file/a8820cc75cd580c8eda747931eb36f5943cece48ba720af9771cf16490a78aa6/detection reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php # Reference: https://twitter.com/ShadowChasing1/status/1362575412539183115 # Reference: https://www.virustotal.com/gui/file/115b9bf1c6f6040248dfa1a77044143dc318e3712ad613a022b4cced6007906f/detection anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm # Reference: https://twitter.com/AnonySecAgency/status/1366948179762024449 # Reference: https://www.virustotal.com/gui/file/73476d8ed35d6bbdaab3e7a17de7668af3860e994ac59107ecbe1aba7e40ace1/detection # Reference: https://www.virustotal.com/gui/file/412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690/detection monkey.funnystory.tech seoul.lastpark.life # Reference: https://twitter.com/ShadowChasing1/status/1368827485253627907 # Reference: https://www.virustotal.com/gui/file/e46887db62f3ee5583587531358e1b70cc8a171067fa4e1ae3e6693f7f9fc938/detection koreacit.co.kr/skin/ # Reference: https://twitter.com/ShadowChasing1/status/1372464570183208961 # Reference: https://www.virustotal.com/gui/file/50d826640cc9ba66b789f0823f04308178b435f7eb39021bf7861061849f7efd/detection inonix.co.kr/kor/board/widgets/mcontent/skins/tmp # Reference: https://twitter.com/ShadowChasing1/status/1372537353311449091 waels.onlinewebshop.net/st/ # Reference: https://twitter.com/Xxx_8885/status/1373888922179170305 # Reference: https://twitter.com/Xxx_8885/status/1373889297414123521 # Reference: https://www.virustotal.com/gui/file/a030873cf5a9b8c76740a1ba9a4d28fc7acf4ce71ebebbe33a46be372f551004/detection # Reference: https://www.virustotal.com/gui/file/a56163d758cd4a0a00e0991b7a4aecab35fdecb59df6d1821488826f8b37d7b9/detection # Reference: https://www.virustotal.com/gui/file/e532685d362475dd3dec1aacedff87c7b32ec3573714a9f56ac87905fa13d66c/detection # Reference: https://www.virustotal.com/gui/file/00bbab408dbc5c1a95143f75c282a74dddd5a87df533d7d198c1fc7eb2138269/detection # Reference: https://www.virustotal.com/gui/file/a2465f753ff409cbd036cc0235704e3f49d9a52b8e4e2bc812428d7c8ea6f32b/detection http://200.200.200.200/test/v.php eucie091.myartsonline.com eucie09111.myartsonline.com ftcpark59.getenjoyment.net # Reference: https://twitter.com/blackorbird/status/1377218251344633856 # Reference: https://twitter.com/RedDrip7/status/1377217232573321220 policy.webofknowledg.com usamilitarysavings.webofknowledg.com webofknowledg.com # Reference: https://twitter.com/ShadowChasing1/status/1377841916948082689 # Reference: https://www.virustotal.com/gui/file/873b8fb97b4b0c6d7992f6af15653295788526def41f337c651dc64e8e4aeebd/detection # Reference: https://www.virustotal.com/gui/file/4a1c43258fe0e3b75afc4e020b904910c94d9ba08fc1e3f3a99d188b56675211/detection pcsecucheck.scienceontheweb.net # Reference: https://twitter.com/ShadowChasing1/status/1377900770629099530 # Reference: https://www.virustotal.com/gui/file/3dd9628b3f92a1f8c340e546343c1c1448de94212a9c19e83cae661eba2d1b37/detection beilksa.scienceontheweb.net # Reference: https://twitter.com/mg2_tracy1/status/1379269472926638081 # Reference: https://www.virustotal.com/gui/file/b89e79ee9c4834177cbabba9b265910a6a55c7defd2863cc1699753dbfa342b8/detection baboivan.scienceontheweb.net # Reference: https://twitter.com/h2jazi/status/1380510153397637127 # Reference: https://www.virustotal.com/gui/file/e6f0d7e114c04017b07f321ba4df440ff55718ef451b1a3cb0f1c0856bd1c86e/detection pc.ac-kr.esy.es # Reference: https://twitter.com/ShadowChasing1/status/1382509560179531782 # Reference: https://www.virustotal.com/gui/file/e7fae41c0bd8d3d95253bd75dce99015599ecc404bd8d737cec305fc3e4dd018/detection wbg0909.scienceontheweb.net # Reference: https://twitter.com/AnonySecAgency/status/1383241650319683590 # Reference: https://www.virustotal.com/gui/file/92b9933f3477241ffd92d0f76ef0dcf46730209a1ecab7eceb399d540530799f/detection cuinm.huikm.kro.kr # Reference: https://twitter.com/HONKONE_K/status/1386152816545128450 # Reference: https://www.virustotal.com/gui/file/4252c0b130be39bf2258c84c436c17babfd650b6d665ac6c4e050f87fe34e46e/detection pootball.medianewsonline.com # Reference: https://twitter.com/ShadowChasing1/status/1388522768111656963 # Reference: https://www.virustotal.com/gui/file/f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8/detection ikpoo.cf onedrive-upload.ikpoo.cf # Reference: https://twitter.com/ShadowChasing1/status/1388529890614341635 # Reference: https://www.virustotal.com/gui/file/2365a48f7d6cf6dcc83195f06ea11b93c955c3a491c60b50ba42788917ba22e2/detection riseknite.life download.riseknite.life # Reference: https://mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w travelmountain.ml alps.travelmountain.ml # Reference: https://twitter.com/h2jazi/status/1390734706103234561 # Reference: https://twitter.com/ShadowChasing1/status/1391620287024668679 # Reference: https://www.virustotal.com/gui/file/622cb6a772b0034f741aa58a50f1155a2a4240021c929d90fbed4182877fa579/detection # Reference: https://www.virustotal.com/gui/file/2ed6b0e116a50ee9be7ac74b7be0e73ac4aeb15ddb9b42a1db5bcfba4dccdead/detection mechapia.com/_admin/nicerlnm/web/style/list.php mechapia.com/_admin/nicerlnm/web/style/css/ # Reference: https://twitter.com/ShadowChasing1/status/1391618560753999872 # Reference: https://twitter.com/ShadowChasing1/status/1391622743146188800 # Reference: https://www.virustotal.com/gui/file/2365a48f7d6cf6dcc83195f06ea11b93c955c3a491c60b50ba42788917ba22e2/detection # Reference: https://www.virustotal.com/gui/file/fa4d05e42778581d931f07bb213389f8e885f3c779b9b465ce177dd8750065e2/detection # Reference: https://www.virustotal.com/gui/file/2c796053053a571e9f913fd5bae3bb45e27a9f510eace944af4b331e802a4ba0/detection chollian.ml daom.ml daum-accounts.cf gmail-account.gq gmrail.ml grnail-login.ml kisa-security.cf letterpaper.press live-sign.ml natesec-page.ml naver-security.cf navor.ml pcjindustries.com riseknite.life secure-dm.tk seoul-kor.ml seoul-kor.tk travelmountain.ml alps.travelmountain.ml check.kisa-security.cf download.riseknite.life login.daum-accounts.cf login.gmail-account.gq login.live-sign.ml login.natesec-page.ml login.secure-dm.tk logins.daom.ml logins.daum-accounts.cf new.seoul-kor.ml nid-nav.navor.ml nids.naver-security.cf nids.navor.ml outlook.seoul-kor.tk signin.chollian.ml signin.gmrail.ml signin.grnail-login.ml texts.letterpaper.press webmail.pcjindustries.com # Reference: https://twitter.com/sS55752750/status/1391765099992453125 flagguarder.site glow.flagguarder.site # Reference: https://twitter.com/h2jazi/status/1392128092840284164 # Reference: https://www.virustotal.com/gui/file/85847cad7f57db4534634d51f7e2c74a23719fcf74c891872d98e7c921f0fd56/detection rukagu.mypressonline.com # Reference: https://twitter.com/cyberwar_15/status/1392376928624013312 daum-attach.ddns.net # Reference: https://twitter.com/ShadowChasing1/status/1392284742163206146 yes24-mart.pe.hu # Reference: https://twitter.com/ShadowChasing1/status/1394911946118295553 # Reference: https://twitter.com/ShadowChasing1/status/1394911948353859585 # Reference: https://www.virustotal.com/gui/file/9ba5266d806df037acb1144836c21b70c5fc0aa6820d2ce07ee28accdff6c9bf/detection follcdn.myartsonline.com sima.atspace.tv # Reference: https://twitter.com/ShadowChasing1/status/1395684553507840003 yanggucam.designsoup.co.kr/user/views/board/skin/secret/css/list.php # Reference: https://twitter.com/h2jazi/status/1395782753765974023 samsoding.homm7.gethompy.com/plugins/dropzone/min/css/list.php # Reference: https://twitter.com/m0br3v/status/1399637361697378306 # Reference: https://twitter.com/ShadowChasing1/status/1399753970839547910 # Reference: https://www.virustotal.com/gui/file/fe1a734019f0dc714bd3360e2369853ea97c02f108afe963769318934470967b/detection at-me.ml kt1kreate.cf ahn-lab.cf snubh.r-e.kr shore.ml snu-h.ml kumb.cf naver-login.cf naver-check.ml snuh.r-e.kr app.at-me.ml sms.kt1kreate.cf v3.ahn-lab.cf mail.snubh.r-e.kr anto.shore.ml smtp.snu-h.ml mail.kumb.cf help.naver-login.cf mail.naver-check.ml mail.snuh.r-e.kr # Reference: https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ # Reference: https://otx.alienvault.com/pulse/60b66cda1f2d210aa677cfbe gmail-account.gq gmrail.ml goggle.hol.es googgle.kro.kr google-manager.ga google-signin.ga grnail-login.ml grnail-signin.ga grnail-signing.work ikpoo.cf kr-infos.com letterpaper.press microsoft-office.us mygoogle-signin.ga mygrnail-security.work mygrnail-signin.ga mygrnail-signing.work riseknite.life travelmountain.ml account.googgle.kro.kr account.grnail-signin.ga accounts.goggle.hol.es accounts.google-manager.ga accounts.google-signin.ga accounts.grnail-signin.ga accounts.grnail-signing.work alps.travelmountain.ml download.riseknite.life login.gmail-account.gq login.gmeil.kro.kr myaccount.google-signin.ga myaccount.google.newkda.com myaccount.google.nkaac.net myaccount.grnail-security.work myaccount.grnail-signin.ga myaccount.grnail-signing.work myaccounts-gmail.autho.co myaccounts-gmail.kr-infos.com myaccounts.grnail-signin.ga ns1.microsoft-office.us ns2.microsoft-office.us onedrive-upload.ikpoo.cf protect.grnail-signin.ga signin.gmrail.ml signin.grnail-login.ml texts.letterpaper.press wscript.shell.run # Reference: https://twitter.com/360CoreSec/status/1401863232835383302 # Reference: https://www.virustotal.com/gui/file/811b42bb169f02d1b0b3527e2ca6c00630bebd676b235cd4e391e9e595f9dfa8/detection alyssalove.getenjoyment.net smyun0272.blogspot.com # Reference: https://twitter.com/ShadowChasing1/status/1402239834819743746 # Reference: https://www.virustotal.com/gui/file/934731692b12fd182acbc698dd3f8ef59984aa4e7ef56e124f9851852878817e/detection manct.atwebpages.com # Reference: https://twitter.com/h2jazi/status/1402267704610988033 # Reference: https://www.virustotal.com/gui/file/c362b4cb60edfa5bf17123845e59311335b03139d77ec27b9a9ffb7b31e60154/detection quarez.atwebpages.com # Reference: https://twitter.com/arphanetx/status/1403765541739941889 # Reference: https://www.virustotal.com/gui/file/9dac6553b89645ac8d9e0a3dc877d12641e6d05fb52e8de6ae5533b2bdf0abc9/detection pollor.p-e.kr # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/Kimsuky%20APT%20Group%20targeted%20on%20South%20Korean%20defense%20and%20security%20departments.pdf amikbvx.cf at-me.ml atooi.ga bnmvg.cf daum-or.ml daum-vpn.ml daums.cf dmaccount.ml gommi.ml kakaoo.ml kititi.ga kumb.cf may3.cf nate-on.ml nate-or.ga naver-check.ml onehappy.ml outlookin.ml pamik.cf shore.ml uhuioo.cf wowow.ga xdtgh.ga yes24-mart.pe.hu admin.daum-or.ml anto.shore.ml ao.nate-on.ml app.at-me.ml app.gommi.ml apple.may3.cf auth.daum-or.ml dnhji.bnmvg.cf exchange.amikbvx.cf gate.uhuioo.cf gom.kititi.ga helper.onehappy.ml imap.pamik.cf mail.daums.cf mail.dmaccount.ml mail.kakaoo.ml mail.kumb.cf mail.naver-check.ml mail.outlookin.ml mail3.nate-or.ga member.dmaccount.ml members.daum-vpn.ml owo.owo.wowow.ga qygbn.xdtgh.ga vpn.atooi.ga # Reference: https://twitter.com/fuuuing_/status/1393102998532886531 fabre.myartsonline.com # Reference: https://twitter.com/TeamT5_Official/status/1410206100033400838 # Reference: https://biz.chosun.com/policy/politics/2021/06/18/V4DTFCEXPRA4DFCBVVJO3DPR5I/ (Korean) # Reference: https://www.virustotal.com/gui/ip-address/27.102.106.48/relations # Reference: https://www.virustotal.com/gui/ip-address/27.102.107.63/relations # Reference: https://www.virustotal.com/gui/ip-address/27.102.112.49/relations # Reference: https://www.virustotal.com/gui/ip-address/27.102.114.89/relations boryung.tk cdaum.kro.kr celltrion.ml cimoon.ml claum.ml cloudmall.club cnaver.kro.kr csdaum.ga dongguk.kro.kr home-info.ml jbnu.info jbnu.ml lottebp.ga minia.ml naver-in.ml nhnems.nsec.kro.kr nidcorp.n-e.kr novavax.ml nsec.nhnems.kro.kr nsuites.ga pagelock.host uni-korea.ga uni-tuebingen.buzz uni-tuebingen.cf xonate.kro.kr admin.claum.ml admin.naver-in.ml alarm.naver-in.ml aol.pagelock.host app.seoul.minia.ml celltrion.cloudmall.club daum.home-info.ml exchange.uni-tuebingen.buzz exchange.uni-tuebingen.cf helper.uni-korea.ga home.xonate.kro.kr its.jbnu.ml mail.celltrion.ml mail.naver-in.ml mail.novavax.ml manager.naver-in.ml member.cdaum.kro.kr member.csdaum.ga member.daum.home-info.ml member.dongguk.kro.kr myinfo.cnaver.kro.kr nhn.nsuites.ga nhnems.nsec.kro.kr nid.naver.home-info.ml nidcorp.nsuites.ga nidlogin.nidcorp.n-e.kr nsec.nhnems.kro.kr onedrive-upload.ikpoo.cf onedrive.ikpoo.cf user.lottebp.ga user.naver-in.ml # Reference: https://twitter.com/ShadowChasing1/status/1410887216956547076 atooi.ga gommi.ml kumb.cf onono.ml uhuioo.cf app.gommi.ml gate.uhuioo.cf mail.kumb.cf vpn.atooi.ga go.onono.ml # Reference: https://twitter.com/h2jazi/status/1411826239455760387 # Reference: https://www.virustotal.com/gui/file/79848ca15ec49057261b6ba52275692d131b8dd034ae9a4cca1e1b81d9e18b77/detection chels.mypressonline.com # Reference: https://twitter.com/k3yp0d/status/1415652277914939393 tbear.mypressonline.com # Reference: https://twitter.com/higefox/status/1411884786323361792 # Reference: https://asec.ahnlab.com/ko/24834/ # Reference: https://asec.ahnlab.com/ko/25351/ # Reference: https://otx.alienvault.com/pulse/60f125c78978e02a40e00c85 benze.atwebpages.com btige.myartsonline.com ccav.myartsonline.com chels.mypressonline.com giruz.atwebpages.com jupit.getenjoyment.net lieon.mypressonline.com lovel.myartsonline.com lovels.myartsonline.com mantc.getenjoyment.net modri.myartsonline.com obser.mygamesonline.org ranso.myartsonline.com rster.atwebpages.com stair.atwebpages.com stair.myartsonline.com vbqwer.mypressonline.com visul.myartsonline.com warcr.onlinewebshop.net # Reference: https://twitter.com/h2jazi/status/1417093562278240256 # Reference: https://www.virustotal.com/gui/file/d3138e7b0dcf5e916834b045c1b006a1cd223dca75626bd1354b47dbd0c63ae2/detection 1213rt.atwebpages.com # Reference: https://twitter.com/fuuuing_/status/1417426427528417283 kimshan600000.blogspot.com # Reference: https://mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ # Reference: https://otx.alienvault.com/pulse/60ffcd56a7dc0038376fe52e worldinfocontact.club alyssalove.getenjoyment.net hanlight.mygamesonline.org kr2959.atwebpages.com majar.medianewsonline.com samsoding.homm7.gethompy.com anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm beilksa.scienceontheweb.net/cookie/select/log/tmp beilksa.scienceontheweb.net/cookie/select/log/list.php cwda.co.kr/theme/basic/skin/new/basic/update/Normal.dotm cwda.co.kr/theme/basic/skin/new/basic/update/list.php heritage2020.cafe24.com/plugin/kcpcert/bin/list.php inonix.co.kr/kor/board/widgets/mcontent/skins/tmp inonix.co.kr/kor/page/product/_notes/list.php inonix.co.kr/kor/page/product/_notes/tmp/ koreacit.co.kr/skin/new/basic/update/temp mechapia.com/_admin/nicerlnm/web/style/list.php miracle.designsoup.co.kr/user/views/resort/controller/css/update/list.php nuclearpolicy101.org/wp-admin/includes/0421/d.php reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php yanggucam.designsoup.co.kr/user/views/board/skin/secret/css/list.php # Reference: https://twitter.com/360CoreSec/status/1423561133873537024 # Reference: https://www.virustotal.com/gui/file/cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210895d2aeb577/detection rhwkdlaktm.atwebpages.com # Reference: https://twitter.com/ShadowChasing1/status/1446270087506194432 # Reference: https://www.virustotal.com/gui/file/82067ef8b907888f9fc27dd0630c37c95b0a55a7c225fb2d693115c41c7dd5be/detection greatname.000webhostapp.com # Reference: https://twitter.com/ShadowChasing1/status/1446278566564433939 # Reference: https://www.virustotal.com/gui/file/32beeda8cffc2ecc689ea2529194cf806955879a334ec68176864d1e6c09800c youtoboo.kro.kr movie.youtoboo.kro.kr # Reference: https://twitter.com/ShadowChasing1/status/1446272122058280963 navercheck.kro.kr nidlogin.navercheck.kro.kr # Reference: https://twitter.com/ShadowChasing1/status/1446271028481593365 # Reference: https://www.virustotal.com/gui/file/db88dc539bccce8c30e3ba6897171989c9a340f23075c614f3c5a73ae0160db1 tigerwood.tech ppahjcz.tigerwood.tech # Reference: https://twitter.com/ShadowChasing1/status/1446270634690895872 # Reference: https://www.virustotal.com/gui/file/324b2e2c0471e49c7cc07725a7d748041479714d265ec6dbf386edd3f619f03c requests.p-e.kr ping.requests.p-e.kr # Reference: https://twitter.com/ShadowChasing1/status/1446269684072914946 # Reference: https://www.virustotal.com/gui/file/8e263345cfeda4eb6720c47d4eaaee236be294fda693d840199f221d6e1412c6 beast.16mb.com # Reference: https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html 44179d6df22c56f339bf.blogspot.com 4b758c2e938d65bee050.blogspot.com akf4tvrbmg.blogspot.com amfuz2h5b2s.blogspot.com byun70kh.mygamesonline.org gyzang0826.blogspot.com gyzang1.blogspot.com gyzang58.blogspot.com gyzang681.blogspot.com gyzang682.blogspot.com kimshan600000.blogspot.com o61666ch.getenjoyment.net pjeu1urxdnvef6twpveg.blogspot.com rrmu1qrxdoekv6twc9pq.blogspot.com smyun0272.blogspot.com t22a44es.atwebpages.com tvrbmkxqstbouzq0twk0ee9uaz0.blogspot.com tvrfekxqrtvpqzr5tvrfdu5evt0.blogspot.com tvrfeuxqrtfnqzr4t0m0ee5utt0.blogspot.com twpbekxqsxpoqzr4txpvdu1uyzu.blogspot.com vev4tkrrpq.blogspot.com vgn5tvrrpq.blogspot.com vgt5tvrnpq.blogspot.com # Reference: https://twitter.com/h2jazi/status/1465402736996933640 3a8f846675194d779198.blogspot.com 0knw2300.mypressonline.com faust22.mypressonline.com # Reference: https://www.virustotal.com/gui/file/cb88d365011dce926afb1c04e6973f3d3db7135dd67d738e281f3690b8d9e6ef/detection kr3753.atwebpages.com # Reference: https://twitter.com/souiten/status/1473862308132651011 jinu1353.scienceontheweb.net # Reference: https://twitter.com/souiten/status/1457946934623150090 # Reference: https://www.virustotal.com/gui/file/0cfa89348dc6007c89852907e464f3e91060e83665d6d62243be225c0e2e44a9/detection gosiweb.gosiclass.com/m/gnu/convert/default/8ef014a/list.php # Reference: https://twitter.com/Timele9527/status/1425640885811777542 helpnid.com # Reference: https://twitter.com/cyberwar_15/status/1478572625291276291 com-trace.space confirm-pw.link navers.online navers.store navers.website net-pass.store # Reference: https://twitter.com/souiten/status/1472757875839619079 # Reference: https://www.virustotal.com/gui/file/2ef30a004e68213faa8cfef567af2292ff03f8ea9f273ae1c9c2b7845ba6ea87/detection zippe.myartsonline.com # Reference: https://blog.alyac.co.kr/3228?category=957259 (Korean) pingguo2.atwebpages.com ramble.myartsonline.com # Reference: https://asec.ahnlab.com/ko/26183/ # Reference: https://otx.alienvault.com/pulse/6110fe0ab195f83ceb72fcff dkekftks.atwebpages.com dktkglrkshqhfn.atwebpages.com tktlal2.atwebpages.com tktlal3.atwebpages.com tksRpdl.atwebpages.com # Reference: https://twitter.com/ShadowChasing1/status/1482976392958865413 gooeglle.mypressonline.com # Reference: https://twitter.com/cyberwar_15/status/1485607323154644999 bigfilemail.net cmaildown.lovestoblog.com msgbugreporting.lovestoblog.com /wwwppp/index2.php # Reference: https://twitter.com/ShadowChasing1/status/1489054323946319876 # Reference: https://www.virustotal.com/gui/file/5d25e53b59bd2dcf234c6819f8cd294efe6d943d04625b9d575002362794e74a/detection com-info.store ms-work.com-info.store # Reference: https://twitter.com/jaydinbas/status/1493522324011851776 # Reference: https://www.virustotal.com/gui/file/3ca7067d60ee47be7448da74be7dab23699cda64cac7ed0cd7a2d219875cb902/detection asenal.medianewsonline.com # Reference: https://twitter.com/s1ckb017/status/1493907536117964802 # Reference: https://www.virustotal.com/gui/file/1fa38bd7a3d6a7b73ac4893bb7edc04fb3f56dcfad3b3e6b3fa6d4729add22e2/detection byusunity.000webhostapp.com # Reference: https://twitter.com/ShadowChasing1/status/1500778382966939653 # Reference: https://www.virustotal.com/gui/ip-address/161.97.100.171/relations com-checking.link com-pass.online com-password.link com-silver.site jp-check.online naver-active.online certificate.medis.navers.store com.com-pass.online daum.confirm-pw.link downfile.mybox.com-password.link downfile.naver.com-pass.online medis.navers.store moue.naver-active.online ms-work.com-pass.online ms-work.com.com-pass.online mybox.com-password.link myetherwallet.com-checking.link naver.com-pass.online naver.com-silver.site navers.com-checking.link navers.com-silver.site naverwebs.com-password.link navrenewal.confirm-pw.link neaply.naver-active.online nib.com-checking.link nic.navers.com-checking.link nid.moue.naver-active.online nid.naver-active.online nid.navers.com-checking.link nid.navers.confirm-pw.link nid.navrenewal.confirm-pw.link nid.neaply.naver-active.online nld.naverwebs.com-password.link nld.neaply.naver-active.online nld.thus.navers.com-checking.link nood.navers.jp-check.online thus.navers.com-checking.link uid.navers.com-silver.site # Reference: https://www.virustotal.com/gui/file/0b2db410c50d9e4eb7e88177c463be3da5fff5527d9dc2ae10fa26ebe2721ef1/detection healerboy.000webhostapp.com # Reference: https://twitter.com/cyberwar_15/status/1507270188882067460 mailnotification.xyz naveruser.com nid.naver.com.pe pay.naver.com.pe report.mailnotification.xyz star.mailnotification.xyz # Reference: https://twitter.com/s1ckb017/status/1507316584079142915 # Reference: https://www.virustotal.com/gui/file/af6b98cabdaf0e3f12fd32509c6b99c141ce59bd73019730d85f66f41ca399da/detection hannarng.kro.kr update.hannarng.kro.kr # Reference: https://twitter.com/souiten/status/1514440361887690753 # Reference: https://www.virustotal.com/gui/file/f28d087adb5f959c62e318d0a3c4639df5513781587aa46bb8df2521f7970ac5/detection manage-box.com # Reference: https://twitter.com/souiten/status/1519167359918911488 # Reference: https://www.virustotal.com/gui/file/2f7f3a86a868f6c5a85fb12fe028fd254cd9622075b179923187461c72d6aea0/detection dusieme.com # Reference: https://twitter.com/ShadowChasing1/status/1519514517465485312 uekaf.myartsonline.com # Reference: https://twitter.com/InQuest/status/1521136176530436098 # Reference: https://www.virustotal.com/gui/file/5ed36771ac803408325326322f6909e8f768ed9a4c9e98217a82a66f71e7627d/detection leehr36.mypressonline.com # Reference: https://twitter.com/jaydinbas/status/1521408843774844929 weworld59.myartsonline.com # Reference: https://twitter.com/h2jazi/status/1521906180553068546 # Reference: https://www.virustotal.com/gui/file/0e9689ea8056e3016ccc7fbfed31d8566403f394b68aceb69fb1a3dfec6b6f09/detection # Reference: https://www.virustotal.com/gui/file/4b0202a8452fe202d25fc5c75aabef3ae52083d2edb7f57cbde02a1bca02a028/detection attach.mail.daum.net/bigfile/v1/urls/d/exeuQzisacbcTtb5my1snadAn5Q/8nrA37fWtx1JOg3Vo6Jufg attach.mail.daum.net/bigfile/v1/urls/d/6akA_Jg1Chbl_TcCTytJJQk4mfE/-z8Vw6BjxQC7ds4lmMKxpA # Reference: https://twitter.com/BlackLotusLabs/status/1524012722622386176 # Reference: https://twitter.com/BlackLotusLabs/status/1524012726133178374 # Reference: https://www.virustotal.com/gui/file/99e58217d03645fe15ae19476554965e93e3d5f50deb85b515eb5543573f9007/detection trueliebe.com # Reference: https://asec.ahnlab.com/en/34694/ # Reference: https://twitter.com/malwrhunterteam/status/1525046722120097798 # Reference: https://twitter.com/ShadowChasing1/status/1525070825480949761 # Reference: https://www.virustotal.com/gui/file/2c20ac485fd55bd1a5c4b75c5ba521e5b19912325737617178dfcb5a4e408aef/detection mc.pzs.kr/themes/mobile/images/about/temp/attach mc.pzs.kr/themes/mobile/images/about/temp/upload mc.pzs.kr/themes/mobile/images/about/temp/upload/lib.php mc.pzs.kr/themes/mobile/images/about/temp/upload/list.php mc.pzs.kr/themes/mobile/images/about/temp/attach/attach.docx # Reference: https://asec.ahnlab.com/ko/34883/ # Reference: https://otx.alienvault.com/pulse/629714934cca82a7351d5254 fedra.p-e.kr leomin.dothome.co.kr printware2.000webhostapp.com # Reference: https://twitter.com/blackorbird/status/1534127714336055296 ielsems.com worldinfocontact.club # Reference: https://twitter.com/cyberwar_15/status/1536865901899022336 cloudfiles.epizy.com clouds.great-site.net fils.clouds.great-site.net joongang.epizy.com daum.cloudfiles.epizy.com kakao.cloudfiles.epizy.com khu.cloudfiles.epizy.com konkuk.cloudfiles.epizy.com naver.cloudfiles.epizy.com snu.cloudfiles.epizy.com # Reference: https://twitter.com/cyberwar_15/status/1550740560033779713 # Reference: https://twitter.com/cyberwar_15/status/1547107301949308928 cdndaum.online marsus.online navecom.website naveos.online naveos.tokyo naver-sec.site navow.website nonghyup.website oneearthfuture.online private-banking-group.com sslnaver.online unifiedworldwideexpress.com cood.nonghyup.website nid.nonghyp.com-checking.link nld.naveos.tokyo noid.naveos.online nong.navow.website # Reference: https://twitter.com/h2jazi/status/1551566274664300544 # Reference: https://www.virustotal.com/gui/file/e59f0aa13e2da2a0cd5c07e882014d9b37927b9bd9a493f83c2bcb103e5a739c/detection asssambly.mywebcommunity.org # Reference: https://twitter.com/blackorbird/status/1552846355613097984 # Reference: https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ # Reference: https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/indicators.csv gonamod.com siekis.com worldinfocontact.club # Reference: https://twitter.com/Des00464472/status/1550410336364527616 aire.us.to # Reference: https://twitter.com/Des00464472/status/1529321196231487488 naverauthority.com # Reference: https://twitter.com/Des00464472/status/1408013493358391296 preledd.club # Reference: https://twitter.com/Des00464472/status/1554308879139618817 protect-team.n-e.kr mail.protect-team.n-e.kr # Reference: https://twitter.com/cyberwar_15/status/1559744857023062017 net-all.website daum.net-all.website kakao.net-all.website onedrive.net-all.website yahodrive.net-all.website yandex.net-all.website # Reference: https://twitter.com/PhantomXSec/status/1561490582513496064 bybitesupport.com drivergooogles.com kakaosupport.com # Reference: https://twitter.com/PhantomXSec/status/1561738109884059649 # Reference: https://www.virustotal.com/gui/ip-address/51.195.155.36/relations navericorp.com nid.navericorp.com avlinkt.online avlinkx.online avlinky.online avlinkz.online cutalink.store cutblink.store cutclink.shop cutdlink.shop linkurla.online linkurlb.online linkurlc.online linkurld.online midalink.live midamain.shop midaurl.site midaurl.tech midblink.xyz midbmain.shop midburl.site midburl.tech midclink.xyz midcmain.click middmain.click movelinka.online movelinkb.online movelinkc.online movelinkd.online navurla.tech netalink.space netblink.space netclink.store netdlink.store nilinks.online nilinkt.online nilinku.online nlinka.link nlinka.online nlinkb.link nlinkb.online nlinkc.link nlinkc.online nlinkd.link nlinkd.online nlinke.link nredia.tech nredib.link nredic.link nredid.link nredie.link nredif.link nredif.live nredig.link nredirea.live nredireb.live nredirec.live nredirecti.tech nredirectj.tech nredirectk.tech nredired.live nserva.link nserva.live nservb.link nservb.live nservc.link nservc.live nservd.link nservd.live nserve.live nshortlinka.live nshortlinkb.live nshortlinkc.live nshortlinkd.live nshortlinke.live nurla.link nvurli.online nvurlu.online nvurly.online reashow.live rebshow.live recshow.live redalink.xyz redclink.xyz redelink.tech redflink.tech redireact.online redirebct.online redirecct.online rediurla.live rediurlb.live rediurlc.live rediurld.live redomain.info redombin.info redserva.online redservb.online redservc.online redservd.online redshow.live shortacut.tech shortanet.click shortaurl.site shortbcut.tech shortbnet.click shortburl.site shortccut.info shortcurl.site shortcuta.online shortcuta.xyz shortcutb.online shortcutb.xyz shortcutc.online shortcutc.xyz shortcutd.online shortcutd.xyz shortdcut.info shortdurl.site shortlinka.xyz shortlinkb.xyz urlalink.info urlblink.info urlclink.info urldlink.info help.nredid.link port.movelinkb.online port.nredig.link port.nservc.link port.nservc.live port.nshortlinke.live port.redserva.online postgres.nlinkd.online # Reference: https://twitter.com/RedDrip7/status/1562282889693126659 # Reference: https://www.virustotal.com/gui/file/6a435e2aab6dce39d626eacb39fc964967e35e94abf513da0f6511ab7b1f826e/detection uppgrede.scienceontheweb.net # Reference: https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/ 225b4d3c305f43e1a590.blogspot.com 3a8f846675194d779198.blogspot.com c52ac2f8ac0693d8790c.blogspot.com leejong-sejong.blogspot.com 21nari.getenjoyment.net 21nari.mypressonline.com 21nari.scienceontheweb.net attach.42web.io attachment.a0001.net bigfile.totalh.net chmguide.atwebpages.com chunyg21.sportsontheweb.net clouds.rf.gd glib-warnings.000webhostapp.com global.onedriver.epizy.com global.web1337.net hochdlincheon.mypressonline.com hochuliasdfasfdncheon.mypressonline.com hochulidncheon.mypressonline.com hochulincddheon.mypressonline.com hochulincheon.mypressonline.com hochulindcheon.mypressonline.com hochulindddcheon.mypressonline.com hochulinsfdgasdfcheon.mypressonline.com koreajjjjj.atwebpages.com koreajjjjj.sportsontheweb.net kpsa20201.getenjoyment.net leehr24.mywebcommunity.org weworld78.atwebpages.com weworld79.mygamesonline.org yulsohnyonsei.atwebpages.com yulsohnyonsei.atwewbpages.com yulsohnyonsei.medianewsonline.com # Reference: https://twitter.com/RedDrip7/status/1563074487452848128 # Reference: https://www.virustotal.com/gui/ip-address/216.189.154.6/relations # Reference: https://www.virustotal.com/gui/file/7903bdf0976d5c6f3c28abf40c41414380f4494a8bf72af9e27ff810599faaf2/detection # Reference: https://www.virustotal.com/gui/file/f63ff642e7025db96d6ebbd6da26aa9cece4f132891ce2a8385d7c034a7ead25/detection # Reference: https://www.virustotal.com/gui/file/db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe/detection accountverify.hmail.us office.pushitlive.net qwert.mine.bz # Reference: https://twitter.com/Jup1a/status/1562720823869583360 # Reference: https://www.virustotal.com/gui/file/a0fddbb638fc4f3ba4cefc0707226e8c01eefd98f78d6a9b4fbca1ba74b21adf/detection sectionss.scienceontheweb.net # Reference: https://twitter.com/Des00464472/status/1564151538553352193 # Reference: https://www.virustotal.com/gui/ip-address/210.16.120.163/relations xxdzts.com autoconfig.xxdzts.com autodiscover.xxdzts.com mail.xxdzts.com # Reference: https://twitter.com/ShadowChasing1/status/1568061411011760129 aasssambly.mywebcommunity.org # Reference: https://twitter.com/PhantomXSec/status/1567738114638237697 # Reference: https://twitter.com/PhantomXSec/status/1567733296083398656 # Reference: https://www.virustotal.com/gui/ip-address/27.255.81.84/relations # Reference: https://virustotal.com/gui/ip-address/61.97.251.247/relations daum-master.com daum-security.com daurn.net help-naver.com naver-edoc.com naver-edocu.com naveradmin.center naverc0rp.com navercorp.date navernail.eu naverscenter.com naverssl.com sec-naver.com 6xv2abhu1nc0.help-naver.com 6xv2abhu1nc0.sec-naver.com 7nv42j9qxt140.help-naver.com 7nv42j9qxt140.sec-naver.com ad.daurn.net cafe.daurn.net gud2abhu1nc0.help-naver.com gud2abhu1nc0.sec-naver.com m.cafe.daurn.net nid.naverssl.com nidiogin.naverc0rp.com nidlogin.naverc0rp.com nidlogin.navercorp.date nids.naverscenter.com ns.naverssl.com rcaptcha.help-naver.com rcaptcha.sec-naver.com sks1.smartvpn.pe.kr smartvpn.pe.kr static.help-naver.com static.sec-naver.com uns.naverssl.com wat.ad.daurn.net # Reference: https://twitter.com/cyberwar_15/status/1567828108790890498 certuser.info koreailmin.com # Reference: https://twitter.com/PhantomXSec/status/1566863825999400960 # Reference: https://www.virustotal.com/gui/ip-address/38.132.122.162/relations accounts-kakao.date cds.naver2.info com2.space com3.top hello.naver2.info help2.top help2.xyz member2.download naver-corp.top naver-corp.xyz naver.com3.top naver.help2.xyz naver.member2.download naver2.eu naver2.info naver2.space naver2.top naver2.xyz naver3.space naver3.xyz naver4.info navercorp.top navercorp.world navercorp1.xyz navercorp2.space navercorp2.top navercorp2.xyz navercorp3.xyz naverpwd.space naverpwd.top naverpwd.world naverpwd.xyz nid-naver.top ro.naver2.info sync-t1.naver2.info tm.naver2.info us7lb-cdn.naver2.info # Reference: https://twitter.com/Des00464472/status/1568885820031135744 # Reference: https://www.virustotal.com/gui/ip-address/104.128.239.16/relations hiworks.ga insopack.mcsoft.org myclouds.r-e.kr office.hiworks.ga softmail.kro.kr app.softmail.kro.kr office.myclouds.r-e.kr # Reference: https://twitter.com/ShadowChasing1/status/1570601703598338049 # Reference: https://www.virustotal.com/gui/file/d3930b2494f45bb2c169124d4a39308303b9e8e87043afc54327c1e2a378e4e0/detection cuts.dothome.co.kr napoyo.mypressonline.com # Reference: https://twitter.com/Des00464472/status/1570558688267739138 navers.tech confluence.navers.tech myboxs.navers.tech myboxes.navers.tech nied.navers.tech techmyboxes.navers.tech # Reference: https://twitter.com/ShadowChasing1/status/1576944331050471425 # Reference: https://www.virustotal.com/gui/file/f03a7a96e3ce5e35dd52ce026266b68aa35301828f1d909d858658051371473d/detection krinnsnail.sportsontheweb.net/file/upload/list.php # Reference: https://twitter.com/ShadowChasing1/status/1580001848211410944 # Reference: https://www.virustotal.com/gui/file/e1c09e045af8b7301390cd9619e3cca7a96d9d2bba2b5fc3385a093f3d69b6b4/detection wayna.myartsonline.com # Reference: https://twitter.com/cyberwar_15/status/1585965668054073345 docxpcgle.epizy.com imhyoj8.myartsonline.com # Reference: https://twitter.com/souiten/status/1592758204198719488 # Reference: https://www.virustotal.com/gui/file/2e1aca8c86562cc52b8bee6ecc45dabb1c11ebba94c81b059d8859a1b263f1e7/detection yundy.mypressonline.com # Reference: https://twitter.com/cyberwar_15/status/1575476579639078913 attachnents.epizy.com cloud.kcrea.rf.gd ewha-cloud.epizy.com clouds.kvongnum.rf.gd files.khu.rf.gd # Reference: https://asec.ahnlab.com/ko/42163/ (Korean) # Reference: https://otx.alienvault.com/pulse/63766a570640a9c4b0bd052d jojoa.mypressonline.com okihs.mypressonline.com # Reference: https://twitter.com/ThreatBookLabs/status/1593523949664493568 quickedit.o-r.kr www1.quickedit.o-r.kr # Reference: https://twitter.com/souiten/status/1603398380687790080 # Reference: https://www.virustotal.com/gui/file/b9dcf7fe7e8ba30d363a19c2c43fc3eea93d281b10f6ee89cffe2a3e533af442/detection infotechkorea.com # Reference: https://twitter.com/ThreatBookLabs/status/1607989665487032320 m6.p-e.kr # Reference: https://asec.ahnlab.com/en/44680/ # Reference: https://otx.alienvault.com/pulse/63a5a4e0a2d0a650343cda1c 3.supports.o-r.kr conf.simpleedit.n-e.kr configment.p-e.kr dashboard.quikveoriy.o-r.kr digital.pepperbank.kro.kr foward.viewpropile.p-e.kr heungkukfire.p-e.kr inglife.kro.kr k-bank.o-r.kr k-bank1.kro.kr kakaosaving.kro.kr kamco.kbloan.kro.kr kamco.kbloan.r-e.kr kamco.webs.kro.kr kbank.o-r.kr kbloan.r-e.kr naver.o-r.kr naver65.n-e.kr nhlife.kro.kr pepperbank.kro.kr quikveoriy.o-r.kr secure-edit.n-e.kr simpleedit.n-e.kr smartshinhan.kro.kr supports.o-r.kr tos.p-e.kr user2list.kro.kr viewpropile.p-e.kr w1.user2list.kro.kr w3.secure-edit.n-e.kr webs.kro.kr wvw1.user2list.kro.kr wvw3.secure-edit.n-e.kr wwv3.supports.o-r.kr www2.configment.p-e.kr # Reference: https://twitter.com/souiten/status/1614811574119849989 # Reference: https://www.virustotal.com/gui/file/4e5ef5933078edeb09fd7d44f90843f4a221c1754d9d15a39aded79416b40779/detection ielsd.myartsonline.com # Reference: https://asec.ahnlab.com/en/45658/ # Reference: https://otx.alienvault.com/pulse/63c81a99d295f5fc0e67b465 lifehelper.kr # Reference: https://twitter.com/StopMalvertisin/status/1622820104236077056 hydrotec.co.kr/bbs/img/cmg/upload2/ hydrotec.co.kr/bbs/img/cmg/upload3/ # APK /Kisa%20Vaccine.apk /KisaAndroidSecurity.apk