A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail

2026-04-21 Break Glass Intelligence

https://intel.breakglass.tech/post/kimsuky-third-vultr-seoul-60-domains-ddns-rotation-naver-nts

Thumbnail for A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail

Breakglass Intelligence attributes 158.247.210.58, a Vultr Seoul VPS, to the same Kimsuky-aligned infrastructure cluster as two previously documented Vultr Seoul systems. Passive DNS showed more than 60 domains over an 18-month window, with 31 still resolving at publication and naming patterns impersonating Naver, the Korean National Tax Service/HomeTax, and Korean government services. The actor rotated across DDNS providers including mydns, dynv6, dns.army, dns.navy, and kro.kr, suggesting disposable infrastructure management and adaptation to blocklisting. Historical passive DNS tied the VPS to johnnytogdstudio[.]xyz as far back as 2020, indicating unusually long-lived cloud infrastructure control. The report is useful for hunting Korean credential-phishing infrastructure through DDNS patterns, Vultr Seoul hosting, and Naver/NTS-themed domain conventions.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN nts-nid.dynv6.net 2026-04-21 2026-04-21
DOMAIN n-cloud.nid-tax.kro.kr 2026-04-21 2026-04-21
DOMAIN tax-login.n-corp.kro.kr 2026-04-21 2026-04-21
DOMAIN nts-user.mydns.jp 2026-04-21 2026-04-21
DOMAIN htax-auth.mydns.jp 2026-04-21 2026-04-21
DOMAIN nts-nid.n-login.kro.kr 2026-04-21 2026-04-21
DOMAIN govkr-tax.nid-auth.kro.kr 2026-04-21 2026-04-21
DOMAIN n-store.nskrm.dynv6.net 2026-04-21 2026-04-21
DOMAIN nid-nts.n-store.kro.kr 2026-04-21 2026-04-21
DOMAIN n-store.dynv6.net 2026-04-21 2026-04-21
DOMAIN nid-gov.tax-store.kro.kr 2026-04-21 2026-04-21
DOMAIN nts-login.n-auth.kro.kr 2026-04-21 2026-04-21
DOMAIN n-store.nts-user.kro.kr 2026-04-21 2026-04-21
DOMAIN anddynv6.net 2026-04-21 2026-04-21
DOMAIN govkr-login.dynv6.net 2026-04-21 2026-04-21
DOMAIN n-login.mydns.jp 2026-04-21 2026-04-21
DOMAIN htax-login.n-cloud.kro.kr 2026-04-21 2026-04-21
DOMAIN htax-store.dynv6.net 2026-04-21 2026-04-21
DOMAIN nversg.mydns.jp 2026-04-21 2026-04-21
DOMAIN n-user.dynv6.net 2026-04-21 2026-04-21
DOMAIN htax-user.govkr.kro.kr 2026-04-21 2026-04-21
DOMAIN mydns.jp 2026-04-21 2026-04-21
DOMAIN nid-tax.mydns.jp 2026-04-21 2026-04-21
DOMAIN ntdersg.mydns.jp 2026-04-21 2026-04-21
DOMAIN n-user.htax-auth.kro.kr 2026-04-21 2026-04-21
DOMAIN johnnytogdstudio.xyz 2026-04-21 2026-04-21
IPv4 158.247.210.58 2026-04-21 2026-04-21
IPv4 158.247.219.150 2026-04-17 2026-04-21
IPv4 158.247.250.37 2026-04-17 2026-04-21

Related Actors

Related Reports

2026-04-17 • 92% Match
#Kimsuky #Phishing #T1102.002 #T1082 #T1140 #T1041 #T1113 #T1608.001 #T1071.001 #T1115 #T1083 #T1497 #T1056.001 #T1204.001 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1567 #T1057 #T1059.005 #T1583.006 #T1583.003 #T1204.004 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1056.003 #T1053.005 #T1539 #T1608.005 #T1598.003 #T1590.005 #T1583.001 #T1059.001 #T1036.005
Shares tag: Kimsuky • Shares 2 IOCs • Same author: Break Glass Intelligence • Published within a week
« Back