DPRK Captive Portal Infrastructure Found in Testing

2026-05-26 • NKInternet •

https://nkinternet.com/2026/05/26/dprk-captive-portal-infrastructure-found-in-testing/

#T1102.002 #OpSec

Thumbnail for DPRK Captive Portal Infrastructure Found in Testing

NK Internet observed 175.45.176.97 in the DPRK IP range returning a 302 redirect to recoshield.com between May 14 and May 17, 2026, with headers showing Apache on Rocky Linux and PHP. Further probing exposed a captive portal-style framework that checked Google favicon loading, redirected users based on connectivity, and used Korean code comments describing mobile-network timeout behavior and a CORS-avoidance technique. The visible lure was a mobile Huawei-themed WiFi error page that sent a POST request containing a sectoken before redirecting users to the legitimate WiFi Analyzer Pro Android app. Commented package-name values for YouTube, Instagram, and Netflix suggest the Play Store redirect target may have been a placeholder while a rogue access point workflow was being tested.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	recoshield.com	2026-05-26	2026-05-26
URL	http://175.45.176.97/1/	2026-05-26	2026-05-26
IPv4	175.45.176.97	2026-05-26	2026-05-26

Related Reports

2026-05-28 • 40% Match

Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace

Safe Dep

#NPM #FamousChollima #T1102.002 #T1119 #T1059.003 #T1567.002 #T1005 #T1113 #T1195.002 #T1056.001 #T1567 #T1543.001 #T1552 #T1547.001 #T1053.005 #T1059.001 #T1053 #T1102 #T1059 #T1195 #T1543 #T1552.004 #T1543.004 #T1547 #T1056 #HuggingFace

Shares tag: T1102.002 • Published within a week

2025-12-08 • 35% Match

Hunting For North Korean Fiber Optic Cables

NKInternet

#OpSec

Shares tag: OpSec • Same author: NKInternet

2026-04-17 • 30% Match

850 Hostnames, 6 Servers, 1 Kill Chain: Mapping Kimsuky's 2026 Korean Credential Harvesting Machine

Break Glass Intelligence

#Kimsuky #Phishing #T1102.002 #T1082 #T1140 #T1041 #T1113 #T1608.001 #T1071.001 #T1115 #T1083 #T1497 #T1056.001 #T1204.001 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1567 #T1057 #T1059.005 #T1583.006 #T1583.003 #T1204.004 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1056.003 #T1053.005 #T1539 #T1608.005 #T1598.003 #T1590.005 #T1583.001 #T1059.001 #T1036.005

Shares tag: T1102.002

2026-01-13 • 25% Match

APT PROFILE – KIMSUKI

Cyfirma

#Kimsuky #T1102.002 #T1059.003 #T1567.002 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1059.005 #T1583.006 #T1566.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1566 #T1585.001 #T1656 #T1205 #T1105 #T1055 #T1553.002 #T1620 #T1102.001 #T1027.002 #T1133 #T1190 #T1593 #T1588.002 #T1657 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1585 #T1593.002 #T1598 #T1583 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1588.003 #T1589.003 #T1594 #T1218.010 #T1557 #T1219.002 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1596

Shares tag: T1102.002

2025-08-29 • 20% Match

Operation HanKook Phantom: APT37 Spear-Phishing Campaign

Seqrite

#APT37 #RokRAT #LNK #T1102.002 #T1027.013 #T1082 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1083 #T1204.001 #T1204.002 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1123 #T1087.001 #T1056.002 #T1574.001 #T1217 #T1027.009 #T1529 #T1055.009 #T1055.001

Shares tag: T1102.002

2025-08-18 • 20% Match

The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign

Trellix

#Kimsuky #Phishing #LNK #XenoRAT #T1102.002 #T1082 #T1567.002 #T1071.001 #T1112 #T1083 #T1027 #T1204.002 #T1566.002 #T1059.005 #T1566.001 #T1053.005 #T1059.001 #T1036.005 #T1105 #T1087.001 #T1106 #T1134 #T1071.004 #T1568 #T1102.003 #T1569 #T1033 #T1569.002

Shares tag: T1102.002

« Back