2026-03-10 •
15% Match
Shares 2 IOCs
Why Is a North Korean Mail Server Using a .cc Domain?
2026-01-27 • Synaptic Security •
Public reconnaissance of North Korean mail infrastructure found reachable Postfix SMTP services for star-co.net.kp and silibank.net.kp on typical mail ports. The Star-CO servers presented a self-managed certificate issued by a North Korean StarJV Certificate Authority, but the certificate subject used mail.nisp.cc rather than a .kp routing domain. The certificate and SMTP configuration showed unusual operational signals, including an X.509 v1 certificate, primitive serial numbering, multiple identities on one host, enabled VRFY and ETRN, a non-standard SMTP extension, and a 10 GB SMTP SIZE limit on active Star-CO servers. The findings matter for DPRK infrastructure tracking because they expose externally reachable mail services, recent certificate and domain activity, and possible design choices separating routing identity from cryptographic identity.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 175.45.178.55 | 2026-01-27 | 2026-03-10 |
| DOMAIN | star-co.net | 2014-08-27 | 2026-03-10 |
| [email protected]… | 2026-01-27 | 2026-01-27 | |
| [email protected] | 2026-01-27 | 2026-01-27 | |
| DOMAIN | mail.star-co.net | 2026-01-27 | 2026-01-27 |
| DOMAIN | smtp1.star-co.net | 2026-01-27 | 2026-01-27 |
| DOMAIN | juming.com | 2026-01-27 | 2026-01-27 |
| IPv4 | 175.45.178.57 | 2026-01-27 | 2026-01-27 |
| IPv4 | 175.45.178.56 | 2026-01-27 | 2026-01-27 |
| IPv4 | 175.45.177.33 | 2026-01-27 | 2026-01-27 |
| DOMAIN | ryongnamsan.edu | 2018-01-08 | 2026-01-27 |
| DOMAIN | silibank.net | 2014-08-27 | 2026-01-27 |
| DOMAIN | smtp.star-co.net | 2014-08-27 | 2026-01-27 |
| DOMAIN | mail.silibank.net | 2014-08-27 | 2026-01-27 |
Related Reports
Shares 3 IOCs
2025-06-16 •
5% Match
Shares 2 IOCs
2024-09-13 •
2% Match
Shares 1 IOC
Shares 1 IOC
Shares 1 IOC