北 연계 탈륨조직, '블루 에스티메이트(Blue Estimate)' APT 캠페인 지속
2020-11-12 • ESTSecurity • North Korea-linked thallium organization continues the ‘Blue Estimate' APT campaign •
ESRC reported continued activity by the North Korea-linked Thallium/Kimsuky group under its Blue Estimate APT campaign, with new malicious files produced in November 2020. The activity targeted South Korean science, technology, and defense-related sectors and used reconnaissance or intrusion emails tied to C2 hosts such as kaist.r-naver[.]com, kaist.krfa[.]ml, kaist-ac[.]xyz, vpn.karist[.]cf, and app.veryton[.]ml. A newly found 64-bit DLL exported as ut_zeus(x64).dll connected to app.veryton[.]ml, while an earlier 32-bit variant used eastsea.or[.]kr. ESRC linked the infrastructure to prior Thallium operations through shared IP ranges, Porkbun registrations, recurring domains, and registrant email patterns.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | outlook.com | 2018-09-06 | 2026-04-17 |
| DOMAIN | kimm.r-naver.com | 2020-11-12 | 2023-07-25 |
| IPv4 | 45.13.135.103 | 2020-03-04 | 2021-06-01 |
| [email protected] | 2020-11-12 | 2020-11-12 | |
| [email protected] | 2020-11-12 | 2020-11-12 | |
| [email protected] | 2020-11-12 | 2020-11-12 | |
| URL | https://porkbun.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | udaum.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | member-info.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | binance.member-info.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | shinpoong.r-naver.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | renk-ag.member-info.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | bidmc.accountcheck.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | nhn.webuserinfo.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | snt.member-info.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | kaist-ac.xyz | 2020-11-12 | 2020-11-12 |
| DOMAIN | pusan.accountcheck.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | webuserinfo.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | yonsei.member-info.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | kasse.hdactech.info | 2020-11-12 | 2020-11-12 |
| DOMAIN | pro-navor.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | kaist.r-naver.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | yahoocenter.member-info.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | vdaum.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | daum-center.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | shinpoong.accountcheck.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | naver.member-info.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | jnj.accountcheck.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | accountcheck.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | logenv.rrnaver.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | rrnaver.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | mail.kaist-ac.xyz | 2020-11-12 | 2020-11-12 |
| DOMAIN | genexine.member-info.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | outlook.accountcheck.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | ukroboronprom.udaum.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | logins.udaum.net | 2020-11-12 | 2020-11-12 |
| DOMAIN | nidlogin.c-naver.com | 2020-11-12 | 2020-11-12 |
| DOMAIN | duaum.net | 2020-11-12 | 2020-11-12 |
| IPv4 | 143.248.155.65 | 2020-11-12 | 2020-11-12 |
| IPv4 | 216.189.159.36 | 2020-11-12 | 2020-11-12 |
| DOMAIN | eastsea.or.kr | 2020-11-02 | 2020-11-12 |
| IPv4 | 185.224.137.164 | 2020-02-18 | 2020-11-12 |
| DOMAIN | member-authorize.com | 2019-10-04 | 2020-11-12 |
| IPv4 | 185.224.138.29 | 2019-03-04 | 2020-11-12 |
| DOMAIN | my-homework.890m.com | 2019-01-30 | 2020-11-12 |