Pylos documents a domain-hunting pivot from suspicious mail-themed infrastructure into a broader set of domains assessed as possibly linked to an in-progress Kimsuky campaign. The activity centered on East Asian, especially South Korean, hosting and spoofed services such as Google, Naver, Daum, mail, cloud, and certificate-related themes. Researchers used hosting data, SMTP/HTTP fingerprints, Let’s Encrypt certificates, JA3S values, urlscan content hashes, and passive DNS to connect related infrastructure, including onkrdot[.]info and 92.38.135.213. The report is useful for defenders tracking likely Kimsuky phishing or credential-capture infrastructure, while preserving the source’s uncertainty that no delivered threat had yet been observed.