Tracking North Korea Nation-State APT Infrastructure: Kimsuky
2026-06-01 • Idanmalihi •
https://idanmalihi.com/tracking-north-korea-nation-state-apt-infrastructure-kimsuky/
Infrastructure hunting from the Kimsuky-linked seed domain xpo.coupang.dns.navy expanded a single public indicator into a mapped cluster of 43 servers and 664 associated domains. The infrastructure showed repeated use of AS135377/UCloud Information Technology (HK) Limited, similar HTTP and HTML fingerprints, exposed services including RDP and web ports, and recurring Korean-themed phishing or document-service domain patterns. The report assesses moderate-to-high confidence attribution to Kimsuky based on infrastructure overlaps, hosting patterns, fingerprint correlation, and consistency with previously reported DPRK cyber-espionage operations.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | edoc.kr-info.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | 88q118.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | 88q858.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | login.account-kakao.dynv6.net | 2026-06-01 | 2026-06-01 |
| DOMAIN | account-login.userauth.mydns.vc | 2026-06-01 | 2026-06-01 |
| DOMAIN | userauth.mydns.vc | 2026-06-01 | 2026-06-01 |
| DOMAIN | check-self.o-r.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | binfo.cert-dns.o-r.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | ndoc.nauthorize.r-e.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | ndoc.ntsdcom.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | nuser-login.pos26ps.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | n-cloud.police26cs.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | chromeupdate.mydns.vc | 2026-06-01 | 2026-06-01 |
| DOMAIN | store.online-kt.dynv6.net | 2026-06-01 | 2026-06-01 |
| DOMAIN | store.auction.dynv6.net | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.gmbolkol.online | 2026-06-01 | 2026-06-01 |
| DOMAIN | email-verification.wavo4.v6.roc… | 2026-06-01 | 2026-06-01 |
| DOMAIN | doc-naver.x111a.dxavr1fqe8.dynv… | 2026-06-01 | 2026-06-01 |
| DOMAIN | ndoc-pass.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.seclogistic.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.strangersduo.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.cloudbarfbag.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | edoc.nts-docview.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | htax-login.nts-kr.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | cp10523.epost-kr.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | dmf.ips-cert.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | jfzb.coupang.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | access.edoc.korea-app.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | kr-edoc.xubi.org | 2026-06-01 | 2026-06-01 |
| DOMAIN | zzddwzm.cn | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.puoios.o-r.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid-doc.naveira.tk | 2026-06-01 | 2026-06-01 |
| DOMAIN | redirect.abrdns.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nsign.hardsoft.nu | 2026-06-01 | 2026-06-01 |
| DOMAIN | nivercloud.d-n-s.name | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid-check.o-r.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | ndocreply.giize.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | mois-auth-log.ttl.ydns.eu | 2026-06-01 | 2026-06-01 |
| DOMAIN | skb375.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.desaindigital.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.lifepixeled.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.casepractice.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.techartsserver.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.corporateadworld.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.subsoniclabs.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | tablenote.dynv6.net | 2026-06-01 | 2026-06-01 |
| DOMAIN | korbit.work.gd | 2026-06-01 | 2026-06-01 |
| DOMAIN | noreply.gov.ydns.eu | 2026-06-01 | 2026-06-01 |
| DOMAIN | chatai.trcipg.top | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.nmlist.p-e.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | nts-doc.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | nuser-login.nhl2vc.dynu.org | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid-login.tsx4is.dynuddns.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid-user.hdoc1ns.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | mail.appvpensan.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | paperless-korea.one | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.k-admin-portal.quest | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.secsettingcheck.quest | 2026-06-01 | 2026-06-01 |
| DOMAIN | read.security-kisa-info.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.confirm-userorder.biz | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.alarm-doc-review.site | 2026-06-01 | 2026-06-01 |
| DOMAIN | manage.cdn-verifying.homes | 2026-06-01 | 2026-06-01 |
| DOMAIN | request.my-epost-order.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | otp.er-edoc.ezgateway.net | 2026-06-01 | 2026-06-01 |
| DOMAIN | login.nodc-view.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | mld.navers.mew-pol.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | view.ips-nifty.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | er-edoc.ezgateway.net | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.courter.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.adworldlog.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.naver.electricalone.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.ndoctax.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | ndoctax.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | ninvoice.nusersec.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | nusersec.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | nchosedirect.connection.n-e.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | guider.serverpit.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | maincert.1cooldns.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.maincert.1cooldns.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid-session.govt.hu | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.ndoc-post.cloud-ip.cc | 2026-06-01 | 2026-06-01 |
| DOMAIN | ndoc.nid-tax.abrdns.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | redirect-nid.pluv.kd0wcadw5v.dn… | 2026-06-01 | 2026-06-01 |
| DOMAIN | invoice-doc.tj5jw.rea5wljzgp.dn… | 2026-06-01 | 2026-06-01 |
| DOMAIN | digital-post.live | 2026-06-01 | 2026-06-01 |
| DOMAIN | official-notice.click | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.official-notice.click | 2026-06-01 | 2026-06-01 |
| DOMAIN | digital-notice-kr.sbs | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.digital-notice-kr.sbs | 2026-06-01 | 2026-06-01 |
| DOMAIN | public-revenue-info.biz | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.public-revenue-info.biz | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.urgent-notice-check.click | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.epdf-user-view.quest | 2026-06-01 | 2026-06-01 |
| DOMAIN | token.k-delivery-post.v6.rocks | 2026-06-01 | 2026-06-01 |
| DOMAIN | secure-delivery-net.v6.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | k-delivery-post.v6.rocks | 2026-06-01 | 2026-06-01 |
| DOMAIN | appleviewer.sbs | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.appleviewer.sbs | 2026-06-01 | 2026-06-01 |
| DOMAIN | inform.delivery-info-review.dns… | 2026-06-01 | 2026-06-01 |
| DOMAIN | delivery-info-review.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | edeliever-address-verify.biz | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.edeliever-address-verify.biz | 2026-06-01 | 2026-06-01 |
| DOMAIN | auth.notification-kmcc.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | notification-kmcc.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | ncodcoverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | nidlogins.ncodcnverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | navs.ncodcrverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | ncodcqverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | ncodcsverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | ncodcrverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | nid.ncodcrverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | ncodcuverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | ncodcvverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | nids.ncodcvverify.dns.navy | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.ncodcjverify.dns.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | ncoddbverify.v6.army | 2026-06-01 | 2026-06-01 |
| DOMAIN | nidlogin.apollo-page.r-e.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | ndilogin.apollo-page.r-e.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | 090.apollo-page.kro.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | www.mois-viewer.o-r.kr | 2026-06-01 | 2026-06-01 |
| DOMAIN | smubo-seurs.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | zbtnvpxgykzo.top | 2026-06-01 | 2026-06-01 |
| DOMAIN | bing-tost15.com | 2026-06-01 | 2026-06-01 |
| DOMAIN | xpo.coupang.dns.navy | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.194.248.103 | 2026-06-01 | 2026-06-01 |
| IPv4 | 152.32.139.104 | 2026-06-01 | 2026-06-01 |
| IPv4 | 152.32.138.116 | 2026-06-01 | 2026-06-01 |
| IPv4 | 101.36.114.83 | 2026-06-01 | 2026-06-01 |
| IPv4 | 152.32.138.172 | 2026-06-01 | 2026-06-01 |
| IPv4 | 152.32.243.224 | 2026-06-01 | 2026-06-01 |
| IPv4 | 165.154.52.21 | 2026-06-01 | 2026-06-01 |
| IPv4 | 101.36.114.24 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.193.69.100 | 2026-06-01 | 2026-06-01 |
| IPv4 | 152.32.243.169 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.193.68.95 | 2026-06-01 | 2026-06-01 |
| IPv4 | 123.58.201.8 | 2026-06-01 | 2026-06-01 |
| IPv4 | 123.58.200.186 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.194.249.36 | 2026-06-01 | 2026-06-01 |
| IPv4 | 101.36.114.215 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.194.248.95 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.193.68.11 | 2026-06-01 | 2026-06-01 |
| IPv4 | 123.58.201.222 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.194.248.158 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.193.69.37 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.193.69.44 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.194.249.154 | 2026-06-01 | 2026-06-01 |
| IPv4 | 101.36.114.248 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.193.69.245 | 2026-06-01 | 2026-06-01 |
| IPv4 | 123.58.200.119 | 2026-06-01 | 2026-06-01 |
| IPv4 | 123.58.200.69 | 2026-06-01 | 2026-06-01 |
| IPv4 | 152.32.243.238 | 2026-06-01 | 2026-06-01 |
| IPv4 | 152.32.139.36 | 2026-06-01 | 2026-06-01 |
| IPv4 | 123.58.201.2 | 2026-06-01 | 2026-06-01 |
| IPv4 | 152.32.138.131 | 2026-06-01 | 2026-06-01 |
| IPv4 | 123.58.201.34 | 2026-06-01 | 2026-06-01 |
| IPv4 | 118.193.68.242 | 2026-04-17 | 2026-06-01 |
| IPv4 | 152.32.138.146 | 2026-03-12 | 2026-06-01 |
| IPv4 | 152.32.243.178 | 2026-03-12 | 2026-06-01 |
| IPv4 | 152.32.138.167 | 2024-09-26 | 2026-06-01 |
| IPv4 | 152.32.138.158 | 2026-04-17 | 2026-04-17 |
| IPv4 | 152.32.138.225 | 2026-04-17 | 2026-04-17 |
| IPv4 | 118.193.68.25 | 2026-04-17 | 2026-04-17 |
| IPv4 | 118.194.248.246 | 2026-03-12 | 2026-03-12 |
| IPv4 | 152.32.243.215 | 2026-03-12 | 2026-03-12 |
| IPv4 | 118.193.69.19 | 2026-03-12 | 2026-03-12 |
| IPv4 | 101.36.114.231 | 2026-03-12 | 2026-03-12 |
| IPv4 | 101.36.114.66 | 2026-03-12 | 2026-03-12 |
Related Actors
Related Reports
Shares tag: Kimsuky • Published within a month
Shares tag: Kimsuky • Published within a month
Shares tag: Kimsuky • Published within a month
2026-06-12 •
80% Match
DEVIL MARLBORO offers for sale an alleged intelligence package linked to Kimsuky and Lazarus Group
i QBlack
Shares tag: Kimsuky • Published within a month
2026-06-09 •
80% Match
#Kimsuky
#Phishing
#LNK
#T1140
#T1071.001
#T1497
#T1027
#T1204.002
#T1566.001
#T1547.001
#T1053.005
#T1059.001
#T1102
Shares tag: Kimsuky • Published within a month
2026-05-27 •
80% Match
#Kimsuky
#T1636.004
#T1027.013
#T1140
#T1041
#T1113
#T1071.001
#T1059.007
#T1204.002
#T1547.001
#T1053.005
#T1132.001
#T1566
#T1497.001
#T1620
#T1573.001
#T1027.010
#T1027.009
#T1055.001
#HttpSpy
#JSONPing
Shares tag: Kimsuky • Published within a week