DPRK UNC3782
2025-11-09 • Wickeren •
The research tracks UNC3782 infrastructure first pivoted from Mandiant-shared indicators and finds extensive phishing activity impersonating Naver Corp from 2021 through late 2022. The author identifies hundreds of Naver typosquat domains, WHOIS registration patterns, and operator email addresses, including repeated personas and Hostinger-linked accounts used across related domains. The cluster later registered cryptocurrency-themed domains, including NFT and crypto names that were still live in the observed 2025 window, marking a shift from the earlier Naver-focused targeting. The report also notes overlap seen by Mandiant with DPRK APT43/Kimsuky but explicitly says it remains unclear whether UNC3782 is APT43, so the evidence is most useful as infrastructure and phishing-tradecraft tracking rather than definitive attribution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | outlook.com | 2018-09-06 | 2026-04-17 |
| IPv4 | 172.236.126.225 | 2025-11-09 | 2025-11-29 |
| IPv4 | 172.236.126.145 | 2025-11-09 | 2025-11-29 |
| IPv4 | 172.236.126.142 | 2025-11-09 | 2025-11-29 |
| HASH | 6b177466f62318c1c7d242fae1f4a3e… | 2025-11-09 | 2025-11-09 |
| DOMAIN | unisockshub.com | 2025-11-09 | 2025-11-09 |
| DOMAIN | heroesvillainsnft.xyz | 2025-11-09 | 2025-11-09 |
| DOMAIN | nooxnft.net | 2025-11-09 | 2025-11-09 |
| DOMAIN | unisocks.net | 2025-11-09 | 2025-11-09 |
| DOMAIN | nresxn.xyz | 2025-11-09 | 2025-11-09 |
| DOMAIN | 08journalide.org | 2025-11-09 | 2025-11-09 |
| DOMAIN | nooxdao.net | 2025-11-09 | 2025-11-09 |
| DOMAIN | nooxlabs.net | 2025-11-09 | 2025-11-09 |
| IPv4 | 172.67.184.241 | 2025-11-09 | 2025-11-09 |
| IPv4 | 188.114.97.4 | 2025-11-09 | 2025-11-09 |
| IPv4 | 15.235.132.75 | 2025-11-09 | 2025-11-09 |
| IPv4 | 104.21.82.51 | 2025-11-09 | 2025-11-09 |
| IPv4 | 23.83.133.196 | 2025-11-09 | 2025-11-09 |
| IPv4 | 104.21.52.18 | 2025-11-09 | 2025-11-09 |
| IPv4 | 13.248.158.159 | 2025-11-09 | 2025-11-09 |
| IPv4 | 104.21.19.35 | 2025-11-09 | 2025-11-09 |
| IPv4 | 172.67.153.143 | 2025-11-09 | 2025-11-09 |
| IPv4 | 172.236.126.234 | 2025-11-09 | 2025-11-09 |
| IPv4 | 172.67.187.252 | 2025-11-09 | 2025-11-09 |
| IPv4 | 5.196.104.158 | 2025-11-09 | 2025-11-09 |
| IPv4 | 2.57.90.16 | 2025-11-09 | 2025-11-09 |
| IPv4 | 13.248.151.237 | 2025-11-09 | 2025-11-09 |
| IPv4 | 15.235.33.28 | 2025-11-09 | 2025-11-09 |
| IPv4 | 108.177.235.82 | 2025-11-09 | 2025-11-09 |
| IPv4 | 104.21.70.235 | 2025-11-09 | 2025-11-09 |
| IPv4 | 15.235.33.18 | 2025-11-09 | 2025-11-09 |
| IPv4 | 188.114.96.4 | 2025-11-09 | 2025-11-09 |
| IPv4 | 13.248.252.114 | 2025-11-09 | 2025-11-09 |
| IPv4 | 104.21.40.31 | 2025-11-09 | 2025-11-09 |
| IPv4 | 2.57.90.58 | 2025-11-09 | 2025-11-09 |
| IPv4 | 172.67.163.32 | 2025-11-09 | 2025-11-09 |
| IPv4 | 104.21.10.119 | 2025-11-09 | 2025-11-09 |
| IPv4 | 172.67.174.224 | 2025-11-09 | 2025-11-09 |
| IPv4 | 172.67.168.192 | 2025-11-09 | 2025-11-09 |
| IPv4 | 104.21.7.194 | 2025-11-09 | 2025-11-09 |
| IPv4 | 172.67.194.73 | 2025-11-09 | 2025-11-09 |
| IPv4 | 188.114.96.3 | 2024-08-23 | 2025-11-09 |
| IPv4 | 188.114.97.3 | 2024-08-23 | 2025-11-09 |
| IPv4 | 172.93.201.88 | 2023-04-20 | 2025-11-09 |
| IPv4 | 3.33.243.145 | 2022-07-20 | 2025-11-09 |
| DOMAIN | navermailcorp.com | 2022-04-26 | 2025-11-09 |