以美国和韩国为目标的Kimsuky最新钓鱼活动攻击组件及木马攻击链剖析
2024-05-13 • Aliyun • Analysis of Kimsuky phishing components and malware attack chain targeting the United States and South Korea •
Researchers found a live Kimsuky-linked phishing and malware-delivery site targeting users in the United States and South Korea. The site hosted a PowerShell script under an xrat path that downloaded an encrypted xeno.bin file, decrypted it, dynamically loaded a .NET Xeno-RAT payload, and configured command-and-control at 152.32.243.152:4444. Additional directories contained PHPMailer-based phishing-mail senders, Naver-themed credential-phishing pages, and request logs that exposed suspected victim IP addresses and captured Kakao/Daum/Hanmail account data. The activity matters for DPRK-focused tracking because it connects Kimsuky infrastructure with Xeno-RAT delivery, Korean webmail credential phishing, and victim telemetry spanning South Korea and the United States.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | sisileae.com | 2024-05-13 | 2024-08-07 |
| [email protected] | 2024-05-13 | 2024-05-13 | |
| [email protected] | 2024-05-13 | 2024-05-13 | |
| [email protected] | 2024-05-13 | 2024-05-13 | |
| [email protected] | 2024-05-13 | 2024-05-13 | |
| URL | https://nid.oksite.eu/user2/hel… | 2024-05-13 | 2024-05-13 |
| DOMAIN | nid.oksite.eu | 2024-05-13 | 2024-05-13 |
| IPv4 | 63.174.145.72 | 2024-05-13 | 2024-05-13 |
| IPv4 | 14.39.124.117 | 2024-05-13 | 2024-05-13 |
| IPv4 | 65.154.226.171 | 2024-05-13 | 2024-05-13 |
| IPv4 | 154.30.116.235 | 2024-05-13 | 2024-05-13 |
| IPv4 | 38.132.193.133 | 2024-05-13 | 2024-05-13 |
| IPv4 | 152.39.157.173 | 2024-05-13 | 2024-05-13 |
| IPv4 | 65.154.226.168 | 2024-05-13 | 2024-05-13 |
| IPv4 | 154.30.116.23 | 2024-05-13 | 2024-05-13 |
| IPv4 | 136.57.74.247 | 2024-05-13 | 2024-05-13 |
| IPv4 | 116.40.6.20 | 2024-05-13 | 2024-05-13 |
| IPv4 | 210.1.224.38 | 2024-05-13 | 2024-05-13 |
| IPv4 | 154.30.116.188 | 2024-05-13 | 2024-05-13 |
| IPv4 | 210.109.2.60 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.242 | 2024-05-13 | 2024-05-13 |
| IPv4 | 38.53.187.1 | 2024-05-13 | 2024-05-13 |
| IPv4 | 156.146.57.189 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.164 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.146 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.245 | 2024-05-13 | 2024-05-13 |
| IPv4 | 216.19.201.208 | 2024-05-13 | 2024-05-13 |
| IPv4 | 38.100.114.76 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.192 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.252 | 2024-05-13 | 2024-05-13 |
| IPv4 | 162.40.209.90 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.129 | 2024-05-13 | 2024-05-13 |
| IPv4 | 210.109.2.23 | 2024-05-13 | 2024-05-13 |
| IPv4 | 39.17.2.221 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.86 | 2024-05-13 | 2024-05-13 |
| IPv4 | 65.154.226.169 | 2024-05-13 | 2024-05-13 |
| IPv4 | 34.86.212.119 | 2024-05-13 | 2024-05-13 |
| IPv4 | 65.154.226.166 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.235 | 2024-05-13 | 2024-05-13 |
| IPv4 | 179.61.228.117 | 2024-05-13 | 2024-05-13 |
| IPv4 | 65.154.226.170 | 2024-05-13 | 2024-05-13 |
| IPv4 | 149.19.252.142 | 2024-05-13 | 2024-05-13 |
| IPv4 | 115.164.140.5 | 2024-05-13 | 2024-05-13 |
| IPv4 | 209.99.179.216 | 2024-05-13 | 2024-05-13 |
| IPv4 | 47.185.40.166 | 2024-05-13 | 2024-05-13 |
| IPv4 | 38.100.114.121 | 2024-05-13 | 2024-05-13 |
| IPv4 | 154.30.116.1 | 2024-05-13 | 2024-05-13 |
| IPv4 | 174.81.215.41 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.107 | 2024-05-13 | 2024-05-13 |
| IPv4 | 211.56.96.83 | 2024-05-13 | 2024-05-13 |
| IPv4 | 178.33.144.179 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.126 | 2024-05-13 | 2024-05-13 |
| IPv4 | 206.204.26.75 | 2024-05-13 | 2024-05-13 |
| IPv4 | 71.191.146.250 | 2024-05-13 | 2024-05-13 |
| IPv4 | 38.100.114.222 | 2024-05-13 | 2024-05-13 |
| IPv4 | 65.154.226.167 | 2024-05-13 | 2024-05-13 |
| IPv4 | 64.57.140.67 | 2024-05-13 | 2024-05-13 |
| IPv4 | 205.169.39.73 | 2024-05-13 | 2024-05-13 |
| IPv4 | 180.149.9.92 | 2024-05-13 | 2024-05-13 |
| IPv4 | 172.98.71.17 | 2024-05-13 | 2024-05-13 |
| IPv4 | 152.39.197.231 | 2024-05-13 | 2024-05-13 |
| IPv4 | 97.103.225.57 | 2024-05-13 | 2024-05-13 |
| IPv4 | 112.169.24.141 | 2024-05-13 | 2024-05-13 |
| IPv4 | 38.132.193.235 | 2024-05-13 | 2024-05-13 |
| IPv4 | 168.151.135.171 | 2024-05-13 | 2024-05-13 |
| IPv4 | 119.204.225.189 | 2024-05-13 | 2024-05-13 |
| IPv4 | 223.33.165.181 | 2024-05-13 | 2024-05-13 |
| IPv4 | 121.165.59.208 | 2024-05-13 | 2024-05-13 |
| IPv4 | 154.30.116.83 | 2024-05-13 | 2024-05-13 |
| IPv4 | 180.149.8.58 | 2024-05-13 | 2024-05-13 |
| IPv4 | 152.32.243.152 | 2024-05-13 | 2024-05-13 |
| IPv4 | 211.198.48.172 | 2024-05-13 | 2024-05-13 |
| IPv4 | 180.149.8.135 | 2024-05-13 | 2024-05-13 |
| IPv4 | 46.232.208.229 | 2024-05-13 | 2024-05-13 |
| IPv4 | 24.194.196.147 | 2024-05-13 | 2024-05-13 |
| IPv4 | 98.191.207.68 | 2024-05-13 | 2024-05-13 |
| IPv4 | 50.25.217.143 | 2024-05-13 | 2024-05-13 |
| IPv4 | 152.39.192.61 | 2024-05-13 | 2024-05-13 |
| IPv4 | 206.204.21.241 | 2024-05-13 | 2024-05-13 |
| IPv4 | 91.92.216.148 | 2024-05-13 | 2024-05-13 |
| IPv4 | 125.177.216.61 | 2024-05-13 | 2024-05-13 |
| IPv4 | 35.222.190.7 | 2024-05-13 | 2024-05-13 |
| IPv4 | 46.232.209.102 | 2024-05-13 | 2024-05-13 |
| IPv4 | 216.194.85.168 | 2024-05-13 | 2024-05-13 |
Related Actors
Related Reports
Shares tags: Kimsuky, XenoRAT • Same author: Aliyun • Published within a week
Shares tags: Kimsuky, Phishing • Published within a month
Shares tags: Kimsuky, Phishing • Published within a month
Shares tag: Kimsuky • Same author: Aliyun • Published within a month
2025-08-18 •
60% Match
#Kimsuky
#Phishing
#LNK
#XenoRAT
#T1102.002
#T1082
#T1567.002
#T1071.001
#T1112
#T1083
#T1027
#T1204.002
#T1566.002
#T1059.005
#T1566.001
#T1053.005
#T1059.001
#T1036.005
#T1105
#T1087.001
#T1106
#T1134
#T1071.004
#T1568
#T1102.003
#T1569
#T1033
#T1569.002
Shares tags: Kimsuky, Phishing, XenoRAT
Shares tags: Kimsuky, Phishing • Shares 1 IOC