Russian Emails Used by North Korean Kimsuky to Commit Credential Theft Attacks – Active IOCs

2024-12-04 Rewterz

https://www.rewterz.com/threat-advisory/russian-emails-used-by-north-korean-kimsuky-to-commit-credential-theft-attacks-active-iocs

Thumbnail for Russian Emails Used by North Korean Kimsuky to Commit Credential Theft Attacks – Active IOCs

Kimsuky is reported to have used Russian-looking sender addresses in credential-theft phishing after earlier waves relied mainly on Korean and Japanese email providers. The activity abused VK Mail.ru alias domains including mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru to impersonate online portals and financial organizations such as Naver. Some MYBOX-themed lures claimed dangerous files had been found in the victim’s cloud account to create urgency and push users toward malicious links. Researchers also found messages that appeared to come from mmbox.ru and ncloud.ru were sent through a compromised Evangelia University email server using the Star PHP mailer, consistent with prior Kimsuky use of legitimate mailer tools. The campaign matters because stolen credentials could enable account takeover and follow-on social engineering against colleagues or contacts.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN bk.ru 2024-12-04 2026-04-17
DOMAIN internet.ru 2024-12-02 2026-04-17
DOMAIN inbox.ru 2024-12-02 2026-04-17
HASH 598b8a9b7bb134bdbf34503e109ec66… 2024-12-04 2024-12-04
HASH d1b5d606c866c304c3eb28fc52ed700… 2024-12-04 2024-12-04
HASH 82286cf6369eddd2e79d005a435623a… 2024-12-04 2024-12-04
HASH 3b2701a7d49a8d6002a2a202bac9b18… 2024-12-04 2024-12-04
HASH 7bb3e2671b8ad6e2e1ffb9e8b022dfd… 2024-12-04 2024-12-04
HASH 23c18fe6675b4dad5e1354718fa9bbb… 2024-12-04 2024-12-04
HASH 41bff8875d1f83b3af52b65cb7ce8eb… 2024-12-04 2024-12-04
HASH 63c45dd760256bb2bee1eeb9e7d6160… 2024-12-04 2024-12-04
HASH 44b072d3948f06cdc0be573aa62ce3c… 2024-12-04 2024-12-04
HASH aabaea027236e8605f4b89e3d9e2206… 2024-12-04 2024-12-04
HASH 0dc17133b9d54b8d38f5a4f4c49eb0c… 2024-12-04 2024-12-04
HASH 9255280904f85d01545d295a3103867… 2024-12-04 2024-12-04
HASH f408dee7fa76179d826885c5c6f38ac… 2024-12-04 2024-12-04
HASH 08620755dabc0983eaf1320ac4c71d9… 2024-12-04 2024-12-04
HASH dd6bbd76378fce03e2b72c904832e57… 2024-12-04 2024-12-04
HASH 9837e850f9800cff7d4fd26a2d9ccba… 2024-12-04 2024-12-04
HASH 9534d277d796890affadb3d3861d22a… 2024-12-04 2024-12-04
HASH 327426b389a87fb41c5150f18c8a3b1… 2024-12-04 2024-12-04
HASH aead266f97c936799f4d5f526482d41… 2024-12-04 2024-12-04
HASH 76ed57d6451f634255c664a89f7a64a… 2024-12-04 2024-12-04
HASH 84c2e2d5d61ed9148a0057e951fdea6… 2024-12-04 2024-12-04
HASH bf838c2e46696f79964709e29880604… 2024-12-04 2024-12-04
HASH f8542e5567741c95a966cd1508c6d11… 2024-12-04 2024-12-04
HASH ac4f6bdd6d4ef009f1108c4c8a3d58e… 2024-12-04 2024-12-04
DOMAIN cookiemanager.ne.kr 2024-12-04 2024-12-04
DOMAIN nidiogln.ne.kr 2024-12-04 2024-12-04
HASH d8249f33e07479ce9c0e44be73d3deac 2024-12-02 2024-12-04
HASH 6ead104743be6575e767986a71cf4bd9 2024-12-02 2024-12-04
HASH adb30d4dd9e1bbe82392b4c01f561e46 2024-12-02 2024-12-04
HASH ab75a54c3d6ed01ba9478d9fecd443af 2024-12-02 2024-12-04
HASH 658a8856d48aabc0ecfeb685d836621b 2024-12-02 2024-12-04
HASH a75196b7629e3af03056c75af37f37cf 2024-12-02 2024-12-04
HASH aa41e4883a9c5c91cdab225a0e82d86a 2024-12-02 2024-12-04
HASH b591cbd3f585dbb1b55f243d5a5982bc 2024-12-02 2024-12-04
HASH 3cd67d99bcc8f3b959c255c9e8702e9f 2024-12-02 2024-12-04
HASH 0def51118a28987a929ba26c7413da29 2024-12-02 2024-12-04
HASH a6588c10d9c4c2b3837cd7ce6c43f72e 2024-12-02 2024-12-04
HASH 2ff911b042e5d94dd78f744109851326 2024-12-02 2024-12-04
DOMAIN ncloud.ru 2024-12-02 2024-12-04
DOMAIN mmbox.ru 2024-12-02 2024-12-04
IPv4 185.27.134.144 2024-12-02 2024-12-04
IPv4 185.27.134.140 2024-12-02 2024-12-04
IPv4 185.27.134.201 2024-12-02 2024-12-04
IPv4 185.27.134.93 2024-12-02 2024-12-04
IPv4 185.105.33.106 2024-12-02 2024-12-04
IPv4 185.27.134.120 2024-12-02 2024-12-04

Related Actors

Related Reports

« Back