The investigation pivots from 158.247.215[.]121 to infrastructure assessed with high confidence as related to Kimsuky/APT43. The observed hosts used Vultr infrastructure, exposed RDP, WinRM, HTTP services, and a repeated RDP certificate common name, CN=Computer-FA06W7, to identify related systems. Passive DNS and URLscan pivots surfaced South Korea-themed domains impersonating government, tax, police, document, Naver Works, and crypto-login services, including domains tied to IPs such as 141.164.51[.]224, 158.247.204[.]137, 158.247.242[.]206, 158.247.247[.]157, 141.164.55[.]2, and 27.102.138[.]10. The analysis also highlights recurring resource hashes and a suspicious mail.ru[.]php file that helped connect additional captures and infrastructure. The value of the report is in its repeatable pivot method for tracking suspected Kimsuky infrastructure through certificate reuse, hosting patterns, passive DNS, and URLscan artifacts.