850 Hostnames, 6 Servers, 1 Kill Chain: Mapping Kimsuky's 2026 Korean Credential Harvesting Machine

2026-04-17 • Break Glass Intelligence •

https://intel.breakglass.tech/post/kimsuky-2026-korea-840-hostnames-5-nodes

#Kimsuky #Phishing #T1102.002 #T1082 #T1140 #T1041 #T1113 #T1608.001 #T1071.001 #T1115 #T1083 #T1497 #T1056.001 #T1204.001 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1567 #T1057 #T1059.005 #T1583.006 #T1583.003 #T1204.004 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1056.003 #T1053.005 #T1539 #T1608.005 #T1598.003 #T1590.005 #T1583.001 #T1059.001 #T1036.005

Thumbnail for 850 Hostnames, 6 Servers, 1 Kill Chain: Mapping Kimsuky's 2026 Korean Credential Harvesting Machine

Breakglass Intelligence maps a large Kimsuky credential-harvesting operation targeting South Korean users through Naver, National Tax Service, NHIS, NongHyup, National Pension Service, and Kakao impersonation themes. The investigation consolidates six infrastructure nodes across providers including Vultr Seoul, Kaopu Cloud HK, UCLOUD HK, Namecheap, and DAOU Technology, with more than 850 phishing hostnames, 65 registered domains, and extensive abuse of dynamic DNS providers. The excerpt describes geofenced Korea-only delivery, browser and bot filtering, compromised SMTP accounts, Telegram bot exfiltration, recovered phishing-kit material, and one confirmed victim with credential and session-cookie capture. It also documents a CHM dropper-to-keylogger chain with exposed C2 directory listing and a shared “Million OK !!!!” server fingerprint, making the report useful for defenders tracking DPRK credential theft infrastructure and active Kimsuky tradecraft.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	1cooldns.com	2026-04-17	2026-06-01
DOMAIN	dynuddns.com	2026-04-17	2026-06-01
DOMAIN	giize.com	2026-04-17	2026-06-01
IPv4	118.193.68.242	2026-04-17	2026-06-01
IPv4	152.32.139.149	2026-03-12	2026-06-01
IPv4	158.247.219.150	2026-04-17	2026-04-21
IPv4	158.247.250.37	2026-04-17	2026-04-21
YARA	Kimsuky_NHIS_Phishing_Page	2026-04-17	2026-04-17
YARA	Kimsuky_CHM_Dropper_Node5	2026-04-17	2026-04-17
YARA	Kimsuky_Blog_Harvest_DDNS_Config	2026-04-17	2026-04-17
YARA	Kimsuky_Phishing_Kit_Glype_PHPr…	2026-04-17	2026-04-17
HASH	66af61e3e376284f691d449d0042e8b…	2026-04-17	2026-04-17
HASH	6f90f6b96fe3a5b79c1935211f557a08	2026-04-17	2026-04-17
HASH	7a3a72197574dcc653332f47bf4fb58…	2026-04-17	2026-04-17
HASH	6aa51c23f0319a6b940072274adf47a…	2026-04-17	2026-04-17
HASH	ac33ba08410f39cf13c9a08a01582bce	2026-04-17	2026-04-17
HASH	86d278bf55d25df08ce3b1c46513c6e…	2026-04-17	2026-04-17
HASH	261cfc8ccda28c89b225e442e094e57…	2026-04-17	2026-04-17
HASH	8d009fbbf5f634e1f715385fde3da14…	2026-04-17	2026-04-17
HASH	f759ccb6886234c63a66abd6102c636…	2026-04-17	2026-04-17
HASH	08815400eb034d0c760d031e735bd392	2026-04-17	2026-04-17
HASH	419762fb355c722f749b689eae7c310…	2026-04-17	2026-04-17
HASH	51ab17a51cc000bbae89980082c5728…	2026-04-17	2026-04-17
HASH	fbb36c3173a4b467fcc7fea566b3ddf…	2026-04-17	2026-04-17
HASH	6d03fd0b89fe997408b9e9e3d5ead602	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
EMAIL	[email protected]	2026-04-17	2026-04-17
URL	http://chk.uncork.biz/nportal/?…	2026-04-17	2026-04-17
URL	http://noreplymail.space/BitJok…	2026-04-17	2026-04-17
URL	http://check.nid-log.com/api/bo…	2026-04-17	2026-04-17
DOMAIN	reg.ru	2026-04-17	2026-04-17
DOMAIN	ncodbsverify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	nid.ncodbvverify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	ncodbvverify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	nhis-kr.xyz	2026-04-17	2026-04-17
DOMAIN	one1232.com	2026-04-17	2026-04-17
DOMAIN	ndocavverify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	ndocadverify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	belluster.com	2026-04-17	2026-04-17
DOMAIN	nhisnews.xyz	2026-04-17	2026-04-17
DOMAIN	nhispost.xyz	2026-04-17	2026-04-17
DOMAIN	backendapi.rootive.kr	2026-04-17	2026-04-17
DOMAIN	homestax.info	2026-04-17	2026-04-17
DOMAIN	gleeze.com	2026-04-17	2026-04-17
DOMAIN	cafe.naver.one1232.com	2026-04-17	2026-04-17
DOMAIN	dedyn.io	2026-04-17	2026-04-17
DOMAIN	dynuddns.net	2026-04-17	2026-04-17
DOMAIN	verify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	id.dynv6.net	2026-04-17	2026-04-17
DOMAIN	s.dynv6.net	2026-04-17	2026-04-17
DOMAIN	ndocazverify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	ndocawverify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	nhisposting.xyz	2026-04-17	2026-04-17
DOMAIN	rootive.kr	2026-04-17	2026-04-17
DOMAIN	freeddns.org	2026-04-17	2026-04-17
DOMAIN	api.rootive.kr	2026-04-17	2026-04-17
DOMAIN	ndocayverify.dynv6.net	2026-04-17	2026-04-17
DOMAIN	nid.ndocazverify.dynv6.net	2026-04-17	2026-04-17
IPv4	152.32.138.158	2026-04-17	2026-04-17
IPv4	175.115.14.22	2026-04-17	2026-04-17
IPv4	158.247.197.123	2026-04-17	2026-04-17
IPv4	101.36.114.168	2026-04-17	2026-04-17
IPv4	165.154.52.8	2026-04-17	2026-04-17
IPv4	38.54.40.15	2026-04-17	2026-04-17
IPv4	152.32.138.225	2026-04-17	2026-04-17
IPv4	38.54.40.154	2026-04-17	2026-04-17
IPv4	150.241.80.3	2026-04-17	2026-04-17
IPv4	158.247.227.83	2026-04-17	2026-04-17
IPv4	38.60.220.64	2026-04-17	2026-04-17
IPv4	69.197.148.159	2026-04-17	2026-04-17
IPv4	141.164.61.168	2026-04-17	2026-04-17
IPv4	38.54.40.51	2026-04-17	2026-04-17
IPv4	158.247.239.225	2026-04-17	2026-04-17
IPv4	118.193.68.25	2026-04-17	2026-04-17
IPv4	38.60.220.102	2026-04-17	2026-04-17
HASH	d7c09e7bf79aa9b786dcd9f870427f4…	2026-04-11	2026-04-17
HASH	af50f35701916d3909f2727cdcbde1a…	2026-04-11	2026-04-17
HASH	85f8f8a3f28d2956776fbbd0365cdb7…	2026-04-11	2026-04-17
HASH	a36576a096db24a1c91327eb547dedf…	2026-04-11	2026-04-17
HASH	0ac44ad9cfbc58ed76415f7bc79239f9	2026-04-11	2026-04-17
HASH	1eff237dee95172363bfc0342d0389f…	2026-04-11	2026-04-17
URL	http://check.nid-log.com/api/fi…	2026-04-11	2026-04-17
URL	http://check.nid-log.com/api/bo…	2026-04-11	2026-04-17
URL	http://check.nid-log.com/api/ch…	2026-04-11	2026-04-17
DOMAIN	verify.efine-log.kro.kr	2026-04-11	2026-04-17
DOMAIN	udalyonka.com	2026-04-11	2026-04-17
DOMAIN	nid-htl.duckdns.org	2026-04-11	2026-04-17
DOMAIN	nid-log.com	2026-04-11	2026-04-17
DOMAIN	chk.uncork.biz	2026-04-11	2026-04-17
DOMAIN	nid-navertca.servehalflife.com	2026-04-11	2026-04-17
DOMAIN	nid-naverpep.servequake.com	2026-04-11	2026-04-17
DOMAIN	nid-naverfxc.servecounterstrike…	2026-04-11	2026-04-17
DOMAIN	uncork.biz	2026-04-11	2026-04-17
DOMAIN	nid-navercwu.servecounterstrike…	2026-04-11	2026-04-17
IPv4	27.102.137.38	2026-04-11	2026-04-17
IPv4	38.60.220.135	2026-04-11	2026-04-17
IPv4	27.102.138.45	2026-04-11	2026-04-17
IPv4	51.79.185.184	2026-04-11	2026-04-17
IPv4	130.94.29.111	2026-04-11	2026-04-17
IPv4	27.102.137.150	2026-04-11	2026-04-17
IPv4	162.255.119.150	2026-04-11	2026-04-17
IPv4	118.194.249.109	2026-03-12	2026-04-17
IPv4	158.247.240.40	2025-08-29	2026-04-17
IPv4	158.247.230.196	2025-06-19	2026-04-17
IPv4	158.247.202.109	2025-06-19	2026-04-17
IPv4	158.247.192.226	2025-06-17	2026-04-17
IPv4	158.247.242.206	2025-06-17	2026-04-17
IPv4	158.247.215.121	2025-06-17	2026-04-17
IPv4	158.247.204.137	2025-06-17	2026-04-17
HASH	7047878f4fbea323148f6554afe6169…	2025-06-05	2026-04-17
HASH	a76af8176da28fdab47f9a77d50eb0e…	2025-06-05	2026-04-17
HASH	4599ac1bbe483c73064df1353feafd01	2025-06-05	2026-04-17
DOMAIN	noreplymail.space	2025-06-05	2026-04-17
EMAIL	[email protected]	2025-05-28	2026-04-17
EMAIL	[email protected]	2025-05-08	2026-04-17
EMAIL	[email protected]	2024-12-10	2026-04-17
IPv4	123.58.200.13	2024-12-10	2026-04-17
IPv4	118.193.69.248	2024-12-10	2026-04-17
IPv4	123.58.200.50	2024-12-10	2026-04-17
IPv4	118.193.68.146	2024-12-10	2026-04-17
IPv4	101.36.114.153	2024-12-10	2026-04-17
IPv4	152.32.243.184	2024-12-10	2026-04-17
IPv4	152.32.138.191	2024-12-10	2026-04-17
IPv4	118.194.248.148	2024-12-10	2026-04-17
IPv4	152.32.138.63	2024-12-10	2026-04-17
IPv4	152.32.243.153	2024-12-10	2026-04-17
DOMAIN	bk.ru	2024-12-04	2026-04-17
DOMAIN	internet.ru	2024-12-02	2026-04-17
DOMAIN	inbox.ru	2024-12-02	2026-04-17
DOMAIN	rambler.ru	2019-12-12	2026-04-17

Related Actors

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2026-04-11 • 72% Match

We Dumped a Live Kimsuky C2 and Recovered Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger

Break Glass Intelligence

#CHM #Kimsuky #T1082 #T1140 #T1041 #T1071.001 #T1115 #T1083 #T1056.001 #T1204.002 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1059.001 #T1036.005 #T1053 #T1132.001

Shares tags: Kimsuky, T1082, T1140 • Shares 28 IOCs • Same author: Break Glass Intelligence • Published within a week

2026-04-05 • 52% Match

Ten Operators, Nine Campaigns, and a Backend With No Password: How a Single Vercel URL Exposed a Two-Year Korean Phishing Syndicate

Break Glass Intelligence

#Kimsuky #Phishing

Shares tags: Kimsuky, Phishing • Same author: Break Glass Intelligence • Published within a month

2026-05-14 • 51% Match

Disclosing new PebbleDash-based tools by Kimsuky

Kaspersky

#Kimsuky #Phishing #AppleSeed #PebbleDash #BlackBanshee #VelvetChollima #GitHub #ADS #APT43 #RubySleet #Springtail #HappyDoor #JSE #SparklingPisces #HttpTroy #VSCode #T1059.003 #T1005 #T1041 #T1113 #T1071.001 #T1056.001 #T1027 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1105 #T1219 #T1543.003

Shares tags: Kimsuky, Phishing, T1041 • Published within a month

2026-04-21 • 51% Match