Hunt identified a Hostwinds server at 23.254.167[.]216 hosting a resurfaced "JustJoin" landing page, a theme previously linked in public reporting to TA444 or BlueNoroff activity. The cluster includes domains such as make-hex-32332e3235342e3136372e323136-rr.1u[.]ms and a0info.v6[.]army, with the hex-encoded domain resolving back to the same IP address. Two additional Hostwinds servers share the same SSH fingerprint, suggesting coordinated infrastructure management, and one exposes mail-related services that could support phishing. The report advises defenders to watch for domains impersonating meeting, fintech, or cryptocurrency services and to pivot on HTML hashes, IPs, domains, and shared SSH keys.