# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: APT-C-55, Black Banshee, Velvet Chollima, ta427

# Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78
# Reference: https://blog.alyac.co.kr/2209 (Korean)

maii-daum-net.atwebpages.com
nate-on.bug3.com
hanmail.membercp.net
korea.getenjoyment.net
mail.membercp.net
/itsme.daum

# Reference: https://twitter.com/blackorbird/status/1086970613552447489

safe-naver-mail.pe.hu

# Reference: https://twitter.com/blackorbird/status/1113318554563076096
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403
# Reference: https://blog.alyac.co.kr/2234 (Korean)

tcjst.com

# Reference: https://twitter.com/blackorbird/status/1118334122592591872
# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf
# Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations
# Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24

http://192.186.142.74
192.186.142.74:81
seoulhobi.biz

# Reference: https://twitter.com/RedDrip7/status/1133268937808859136

lovemoney.mypressonline.com

# Reference: https://blog.alyac.co.kr/2336 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6

hellojames.sportsontheweb.net

# Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)

/expres.php

# Reference: https://blog.alyac.co.kr/2347 (Korean)
# Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db

http://202.168.155.156
carolie-svr-v1.16mb.com
my-homework.890m.com
naver-security-mail.96.lt
oeks39402.890m.com
filer1.1apps.com
filer2.1apps.com
kuku675.site11.com
kuku79.herobo.com

# Reference: https://blog.alyac.co.kr/2389 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8

atene.myartsonline.com
hellojames.sportsontheweb.net
nid2-naver-com.medianewsonline.com
smalldeal.mypressonline.com

# Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks
# Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208
# Reference: https://twitter.com/blackorbird/status/1164370375490228224

alone-service.work
app-support.work
check-up.work
com-main.work
doc-view.work
login-confirm.work
member-service.work
minner.work
short-line.work
sub-state.work
web-line.work

# Reference: https://twitter.com/cyberwar_15/status/1166592637371060226

rnailr.com

# Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf
# Reference: https://otx.alienvault.com/pulse/5d6d754babe6ca295f94cb1b

accounted.top
acounts.work
ahooc.com
alive-user.work
alone-service.work
app-house.online
app-main.site
app-support.site
app-support.work
check-line.site
check-operation.site
check-up.work
client-mobile.work
confirm-main.work
dounn.net
dovvn-mail.com
drog-service.com
eposcard.co
first-state.work
gstaticstorage.com
heehorse.com
hotrnall.co
imap-login.com
inbox-mail.work
inbox-yahoo.com
lh-login.com
lh-logs.com
lh-yahoo.com
local-link.work
log-yahoo.com
login-confirm.site
login-confirm.work
login-history.pw
login-sec.com
login-use.com
login-yahoo.info
logins-yahoo.com
mail-down.com
mail-inc.work
mail-service.win
mailseco.com
main-line.work
main-service.site
main-support.work
matmiho.com
member-service.work
message-inbox.work
minner.work
mobile-device.site
mobile-phone.work
myprivacy.work
net-policies.work
old-version.work
online-support.work
open-auth.work
options.work
page-view.work
phlogin.com
profile-setting.work
protect-com.work
protect-mail.work
protect-main.site
retry-confirm.com
script-main.site
sec-line.work
sec-live.com
set-login.com
setting-main.work
share-check.site
short-line.work
sign-in.work
srnbc-card.com
user-account.link
user-accounts.net
user-service.link
user-service.work
viewetherwallet.com
wallet-vahoo.com
weak-online.work
web-info.work
web-mind.work
web-online.work
web-rain.work
web-state.work
web-store.work
yah00.work
yrnall.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901
# Reference: https://blog.alyac.co.kr/2538 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d8dd05bac456c1dade338df

joelwisian.com
reunionhomesok.com

# Reference: https://twitter.com/blackorbird/status/1178497550938034177

eoplus.co.kr/board/pressed/
eoplus.co.kr/board/presset/

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5d9f541a43c2babf60994786

c-naver.com
daum-center.net
rrnaver.com
udaum.net
account-google.member-authorize.com
user-manage-center.hol.es
user-daum-center.pe.hu
user-protect-center.pe.hu
naiei-aldiel.16mb.com
nid-protect-team.pe.hu
nid-management-team.890m.com
oeks39402.890m.com
vkcxvkweo.96.lt

# Reference: https://otx.alienvault.com/pulse/5dac36de0d5134df36b16666

clouds.scienceontheweb.net

# Reference: https://twitter.com/spider_girl22/status/1191306963369353216

online---shop.atwebpages.com

# Reference: https://blog.alyac.co.kr/2645 (Korean)
# Reference: https://otx.alienvault.com/pulse/5de68f93fc4d8a6303a7598b

member-view-center.esy.es
primary-help.esy.es
ago2.co.kr/bbs/data/dir/F.php
antichrist.or.kr/data/cheditor/dir1/F.php
gyjmc.com/board/data/cheditor/dir1/F.php

# Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b

antichrist.or.kr/data/cheditor/dir1/lyric64
batgalim.org.il/facebook/Facebook/Entities/ppp/encoding.png
jonashartley.com/hilaryolsen/wp-includes/images/crystal/1122/upload.php
jonashartley.com/hilaryolsen/wp-admin/network/run.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/res.php
jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/expres.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/res.php
jonashartley.com/hilaryolsen/wp-includes/customize/1111/expres.php
happy-new-year.esy.es
safe-naver-mail.pe.hu

# Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
# Reference: https://otx.alienvault.com/pulse/5e42fd9c9fa37be52610c5c5

accounting-microsofft.epizy.com
csdaum-help.esy.es
daum-account-login.esy.es
daum-account-login.esy.esoeks39402.890m.com
daum-account-signin.pe.hu
daum-login-protect.hol.es
daum-setting.hol.es
daum-stting.hol.es
daumlogin.esy.es
gyjmc.com
mail-customer-safety-center.hol.es
mail-kinu.hol.es
mail-naver-protect.hol.es
mail.naver.comuf.com
member-authorize.com
member-daum-regist.hol.es
member-view-center.esy.es
memver-view-center.esy.es
nager-relogin-security.96.lt
naiei-ldel.16mb.com
naver-password.esy.es
naver-security-mail.96.lt
naverhelp.esy.es
naverkorea.esy.es
naverlogin.esy.es
nid-mail.pe.hu
nid-management-team.890m.com
nid-protect-team.pe.hu
primary-help.esy.es
protect-yahoo-teeam.000webhostapp.com
security-mail-daum.000webhostapp.com
snu-mail-ac-kr.esy.es
suppcrt-seourity.esy.es
uefa2018.000webhostapp.com
user-daum-center.pe.hu
user-management-center.hol.es
user-protect-center.pe.hu
vkcxvkweo.96.lt
webrnail-kinu.hol.es

# Reference: https://twitter.com/anyrun_app/status/1115513990711521280
# Reference: https://www.virustotal.com/gui/file/540336c5e61d589776e267eed14eac835720b4484312434ce4f27adfec8bf817/detection

185.224.137.164:21

# Reference: https://twitter.com/cyberwar_15/status/1227709181605613569

happy-boy.pe.hu

# Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html
# Reference: https://otx.alienvault.com/pulse/5e4c19894aad216887c8cb3d

ago2.co.kr/bbs/data/tmp
aiyac-updaite.hol.es
daum-center.net
embed-helper.esy.es
er-manage-center.hol.es
finale-jack.esy.es
kakao-check.esy.es
my-homework.890m.com
naver-mail-com.hol.es
nid-protect-team.pe.hu
nid-yyanagemeniteam.890m.com
nortice-centre.esy.es
oeks39402.890m.com
rrnaver.com
simple-hick.esy.es
suppcrt-seourity.esy.es
udaum.net
upgradesrv.890m.com
user-daum-center.pe.hu
user-manage-cenier.nol.es
user-protect-center.pe.hu

# Reference: https://twitter.com/blackorbird/status/1107214927402418176
# Reference: https://twitter.com/blackorbird/status/1107479347013672960

ddlove.kr/bbs/dta/1

# Reference: https://twitter.com/blackorbird/status/1082553543280680962

ago2.co.kr/bbs/data/dir

# Reference: https://twitter.com/cyberwar_15/status/1230093739554557953

pingball.mygamesonline.org

# Reference: https://twitter.com/spider_girl22/status/1233198285747154944
# Reference: https://twitter.com/cyberwar_15/status/1241591674255446016
# Reference: https://app.any.run/tasks/f4172853-90e6-49ad-be7b-bf6efa771448/

nagoya.datastore.pe.hu
suzuki.datastore.pe.hu
toyota.datastore.pe.hu

# Reference: https://blog.alyac.co.kr/2737 (Korean)

mernberinfo.tech

# Reference: https://twitter.com/cyberwar_15/status/1232989735011794945
# Reference: https://www.virustotal.com/gui/file/2cd5f1852ac6d3ed481394ea0abc49f16789c12fb81bcdf9988762730fb0aa8f/detection
# Reference: https://twitter.com/spider_girl22/status/1234761655214493697
# Reference: https://twitter.com/cyberwar_15/status/1240677656451899394
# Reference: https://twitter.com/Timele9527/status/1240620534468997125

all200.mireene.com
crphone.mireene.com
jmable.mireene.com
jmdesign.mireene.com
nhpurumy.mireene.com
orblog.mireene.com
sgmedia.mireene.com
vnext.mireene.com

# Reference: https://twitter.com/Timele9527/status/1240123132419223554

mybobo.mygamesonline.org

# Reference: https://twitter.com/DeadlyLynn/status/1245264426321600513

saemaeul.mireene.com

# Reference: https://twitter.com/AnonySecAgency/status/1250605504520318977

rolls-royce-love.890m.com

# Reference: https://twitter.com/VK_Intel/status/1257243399742251010

upload.bigfile.hol.es

# Reference: https://twitter.com/AnonySecAgency/status/1263047043150299136

gotoclean.com.co
ricefarm.kr/bbs/st/expres.php

# Reference: https://twitter.com/cyberwar_15/status/1266553918454067201
# Reference: https://www.rfa.org/korean/in_focus/nkhacking-05292020160533.html (Korean)

com-download.work

# Reference: https://twitter.com/cyberwar_15/status/1268073043365990401

part.bigfile.pe.hu

# Reference: https://blog.alyac.co.kr/3033 (Korean)
# Reference: https://otx.alienvault.com/pulse/5ed7c80f673c40df00c52fa6

boaz.kr/skin/member/basic/css/cross.php
boaz.kr/skin/member/basic/css/report.php
boaz.kr/skin/member/log/cross.php
boaz.kr/skin/member/log/pre.hta
boaz.kr/skin/member/log/report.php
boaz.kr/skin/member/log/suf.hta

# Reference: https://twitter.com/XOR_Hex/status/1273023258535886848

dept-dp.lab.hol.es

# Reference: https://twitter.com/cyberwar_15/status/1273435333430935552

gbxhd.org-help.com

# Reference: https://twitter.com/ccxsaber/status/1273804166612135940

security-confirm.bmail-org.com

# Reference: https://twitter.com/ShadowChasing1/status/1274724519803043852

finalist.org-help.com

# Reference: https://twitter.com/cyberwar_15/status/1275368364819410950

foxhunter.getenjoyment.net
korea.getenjoyment.net
pootball.getenjoyment.net

# Reference: https://twitter.com/DeadlyLynn/status/1275998401524424704

attachchosun.atwebpages.com

# Reference: https://twitter.com/ccxsaber/status/1278941222166380545

lovelovelove.atwebpages.com

# Reference: https://twitter.com/DeadlyLynn/status/1281840956170317824

bascetball.atwebpages.com

# Reference: https://twitter.com/cyberoverdrive/status/1285955528770891776
# Reference: https://www.virustotal.com/gui/file/4fae9a942aafddc8ee21a753302cec3c5273d3f71e132f176cb799dd922e30ac/detection

pingguo5.atwebpages.com

# Reference: https://app.any.run/tasks/74d55d02-7bbd-444c-a01b-30ac52a7e576/

foxonline123.atwebpages.com

# Reference: https://twitter.com/cyberwar_15/status/1296301860312084482

jongjin.000webhostapp.com

# Reference: https://twitter.com/DeadlyLynn/status/1299970605043707905
# Reference: https://www.virustotal.com/gui/file/4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f/detection

portable.epizy.com

# Reference: https://otx.alienvault.com/pulse/5f737caa710907613c4d2773

account-protect.work
account-viewer.work
com-active.work
com-download.work
com-option.work
com-ssl.work
com-sslnet.work
com-vps.work
default.tokyo
desk-top.work
doc-view.pw
dorey.work
dutaley.work
exiweng.work
idiolos.work
intemet.work
jp-sec.pw
jp-ssl.work
kinac.work
net-sec.pw
org-view.pw
org-view.work
org-vip.work
org-vps.work
poulsen.work
robezo.work
rtyuio.work
sslport.work
sslserver.work
ssltop.work
taplist.work
tlsmain.work
unrepong.work
verdall.xyz
vpstop.work
webmain.work

# Reference: https://twitter.com/cyberwar_15/status/1313175039307476993

daumcleaner.mywebcommunity.org
naver.mywebcommunity.org
workcrafter.mywebcommunity.org

# Reference: https://twitter.com/DeadlyLynn/status/1314181830162083841
# Reference: https://www.virustotal.com/gui/file/363386c4caa5a995d3ca9345520c90942d5d3e1aaf8056831348f92eb73c15db/detection

goldbin.myartsonline.com

# Reference: https://twitter.com/vigilantbeluga/status/1315720089316941824
# Reference: https://twitter.com/vigilantbeluga/status/1315722308703543297

hdac-wallet.com
kasse-v1.hdac-wallet.com
update.hdac-tech.com
wallet.hdac-tech.com

# Reference: https://twitter.com/vigilantbeluga/status/1255002262256025600
# Reference: https://www.virustotal.com/gui/file/3110f00c1c48bbba24931042657a21c55e9a07d2ef315c2eae0a422234623194/detection

general-second.org-help.com

# Reference: https://us-cert.cisa.gov/ncas/alerts/aa20-301a
# Reference: https://otx.alienvault.com/pulse/5f9856f8655cfd07338c8e83

account.daum.unikftc.kr
account.daum.unikortv.com
account.daurn.pe.hu
amberalexander.ghtdev.com
beyondparallel.sslport.work
bigfile.pe.hu
cdaum.pe.hu
cloudmail.cloud
cloudnaver.com
coinone.co.in
com-download.work
com-option.work
com-ssl.work
com-sslnet.work
com-vps.work
comment.poulsen.work
cooper.center
csnaver.com
daum.net.pl
daum.unikortv.com
daurn.org
daurn.pe.hu
demand.poulsen.work
dept-dr.lab.hol.es
downloadman06.com
dubai-1.com
eastsea.or.kr
gloole.net
help-navers.com
help.unikoreas.kr
helpnaver.com
hogy.desk-top.work
impression.poulsen.work
intemet.work
intranet.ohchr.account-protect.work
jonga.ml
jp-ssl.work
kooo.gq
loadmanager07.com
login.bignaver.com
login.daum.kcrct.ml
login.daum.net-accounts.info
login.daum.unikortv.com
login.outlook.kcrct.ml
mail.unifsc.com
mailsnaver.com
member-authorize.com
member.daum.uniex.kr
member.daum.unikortv.com
member.navier.pe.hu
msdatl3.inc
msolui80.inc
myaccount.nkaac.net
myaccounts.gmail.kr-infos.com
myetherwallet.co.in
myetherwallet.com.mx
naver.co.in
naver.com.cm
naver.com.de
naver.com.ec
naver.com.mx
naver.com.pl
naver.com.se
naver.cx
naver.hol.es
naver.koreagov.com
naver.onegov.com
naver.pw
naver.unibok.kr
naverdns.co
net.tm.ro
nid.naver.com.se
nid.naver.corper.be
nid.naver.onektx.com
nid.naver.unibok.kr
nid.naver.unicrefia.com
nidlogin.naver.corper.be
nidnaver.email
nidnaver.net
ns.onekorea.me
nytimes.onekma.com
org-vip.work
preview.manage.org-view.work
pro-navor.com
read-hanmail.net
read-naver.com
read.tongilmoney.com
resetprofile.com
resultview.com
riaver.site
sankei.sslport.work
securetymail.com
servicenidnaver.com
smtper.cz
smtper.org
sslserver.work
ssltop.work
statement.poulsen.work
sts.desk-top.work
taplist.work
tiosuaking.com
top.naver.onekda.com
usernaver.com
view-hanmail.net
view-naver.com
vilene.desk-top.work
vpstop.work
webmain.work
webuserinfo.com
ww-naver.com

# Reference: https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
# Reference: https://www.cyberscoop.com/north-korea-espionage-kimsuky-cybereason/
# Reference: https://otx.alienvault.com/pulse/5fa029ed2e8d9de384c74f26

csv.posadadesantiago.com/home/up.php?id=
csv.posadadesantiago.com/home?act=news&id=
csv.posadadesantiago.com/home?id=
myaccounts.posadadesantiago.com/test/Update.php?wShell=
wave.posadadesantiago.com/home/dwn.php?van=

# Reference: https://blog.alyac.co.kr/3352
# Reference: https://otx.alienvault.com/pulse/5fa1bb282c5efd7327b229a6

xeoskin.co.kr/wp/wp-includes/SimplePie/Net/

# Reference: https://twitter.com/cyberwar_15/status/1327040440189607936
# Reference: https://twitter.com/cyberwar_15/status/1327045373781635072
# Reference: https://twitter.com/cyberwar_15/status/1327403605825970176
# Reference: https://twitter.com/cyberwar_15/status/1327403626118094848

accountcheck.net
app.veryton.ml
appmedicine.whoint.cf
astrozeneca.ml
bidmc.accountcheck.net
daumi.club
daurn.ga
dup.photo.oiiio.ga
email-hanwha.pe.hu
genexine.member-info.net
jnj.accountcheck.net
kaist.r-naver.com
kari.gq
kimm.r-naver.com
krnvc.ga
logins.daumi.club
logins.daurn.ga
love.krnvc.ga
mail.astrozeneca.ml
member-info.net
oiiio.ga
on.color.oiiio.ga
r-naver.com
shinpoong.accountcheck.net
shinpoong.r-naver.com
shkj.hol.es
veryton.ml
webmail.kari.gq
whoint.cf

# Reference: https://twitter.com/RedDrip7/status/1329628989699235840
# Reference: https://otx.alienvault.com/pulse/5fb804ac581df7fe4f35bfd6
# Reference: https://www.virustotal.com/gui/file/9365ce79a51768a398cc22ec701d5f256de827fbefed283c933dea4052d66027/detection

pelebra.atwebpages.com

# Reference: https://twitter.com/jfslowik/status/1330611004456067073

asia-studies.net
itamaraty.net
midsecurity.org
netsecurityservice.com
securitycounci1report.org

# Reference: https://twitter.com/cyberwar_15/status/1332300116179312640

bidmc.accountcheck.net
genexine.member-info.net
jnj.accountcheck.net
shinpoong.accountcheck.net
shinpoong.r-naver.com

# Reference: https://twitter.com/cyberwar_15/status/1333181928606814211

daumusercenter.web.app

# Reference: https://twitter.com/cyberwar_15/status/1333767468473487363

autoway.huyndai.ml
huyndai.ml

# Reference: https://twitter.com/Timele9527/status/1333971180290592769

documentserver.site

# Reference: https://twitter.com/h2jazi/status/1339226171272286209
# Reference: https://blog.alyac.co.kr/3458 (Korean)
# Reference: https://otx.alienvault.com/pulse/5fdbc57a744937101f4f9adc

hahae.co.kr/new3/ISAF/Libs/php/cross.php

# Reference: https://twitter.com/RedDrip7/status/1336258913323216896
# Reference: https://www.virustotal.com/gui/file/1909010c264328edaf24cc2804d4f046aabd3c59de45e1d295d4155eb466d753/detection

price365.co.kr/abbi/json/ps/aa.php

# Reference: https://twitter.com/cyberwar_15/status/1343610577894088704
# Reference: https://www.virustotal.com/gui/ip-address/27.255.79.204/relations

bkl-co.ml
conm.ga
covision.tk
dongguk.ml
edongwon.ml
edongyang.ml
ejnuac.ml
ekecc.ml
ekoreapetroleum.ml
eland.ml
enepa.cf
esmec.ml
gwdeuac.ml
gwpancon.ml
imperial.fit
kangwon.ml
kccworld.ml
kyungnam.ml
kyungnam.tk
kyungshin.ml
leeko.ml
maeil.ml
miraeasset.ml
naver.srl
nexaemc.ml
nh-amundi.ml
onestorecorp.ml
s-food.ml
samyang.ml
sejonggroup.ml
slworld.cf
sogang.ml
tlbu.ml
webnaver.srl
wonik.ml
yncc.ml
zdnet.ga
email.dongwon.ml
email.dongyang.ml
email.jnuac.ml
email.kecc.ml
email.koreapetroleum.ml
email.nepa.cf
ext.imperial.fit
gwmail.deuac.ml
gwmail.pancon.ml
mail.bkl-co.ml
mail.conm.ga
mail.covision.tk
mail.dongguk.ml
mail.eland.ml
mail.esmec.ml
mail.kangwon.ml
mail.kccworld.ml
mail.kyungnam.ml
mail.kyungnam.tk
mail.kyungshin.ml
mail.leeko.ml
mail.maeil.ml
mail.miraeasset.ml
mail.naver.srl
mail.nh-amundi.ml
mail.onestorecorp.ml
mail.s-food.ml
mail.samyang.ml
mail.sejonggroup.ml
mail.slworld.cf
mail.sogang.ml
mail.tlbu.ml
mail.wonik.ml
mail.yncc.ml
mail.zdnet.ga
nidlogin.naver.srl
nmail.exaemc.ml
webmail.naver.srl

# Reference: https://twitter.com/cyberwar_15/status/1345704290069876736

karist.cf
kaist-ac.xyz
krfa.ml
veryton.ml
kaist.krfa.ml
kaist-ac.xyz
mail.kaist-ac.xyz
vpn.karist.cf
app.veryton.ml

# Reference: https://twitter.com/h2jazi/status/1347225069890789376
# Reference: https://www.virustotal.com/gui/file/18ee06625f7bddadafa8c256d63a123f4e69d5488f88828052fd7803b3aa8b3b/detection

cwda.co.kr/theme/basic/skin/new/basic/update/

# Reference: https://twitter.com/AnonySecAgency/status/1350988738973884418
# Reference: https://www.virustotal.com/gui/file/fd740b70649f06269bf8fe2d0d4fdd87d99606a7a666c4f6a2fc89bee70b6649/detection

connectter.atwebpages.com

# Reference: https://twitter.com/cyberwar_15/status/1352117474943135745
# Reference: https://twitter.com/cyberwar_15/status/1352117964527423490
# Reference: https://www.virustotal.com/gui/ip-address/121.78.88.85/relations

attach.ddns.net
bigfile-naver.servepics.com
cafe-daum.ddns.net
naver.serveblog.net
naver.servehttp.com

# Reference: https://twitter.com/ShadowChasing1/status/1358713278390673408
# Reference: https://www.virustotal.com/gui/file/39bd6b689b02d6dee329131a51aa09301889faf5698eeac0d02aef0ba47cf024/detection
# Reference: https://www.virustotal.com/gui/file/a8820cc75cd580c8eda747931eb36f5943cece48ba720af9771cf16490a78aa6/detection

reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php

# Reference: https://twitter.com/ShadowChasing1/status/1362575412539183115
# Reference: https://www.virustotal.com/gui/file/115b9bf1c6f6040248dfa1a77044143dc318e3712ad613a022b4cced6007906f/detection

anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm

# Reference: https://twitter.com/AnonySecAgency/status/1366948179762024449
# Reference: https://www.virustotal.com/gui/file/73476d8ed35d6bbdaab3e7a17de7668af3860e994ac59107ecbe1aba7e40ace1/detection
# Reference: https://www.virustotal.com/gui/file/412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690/detection

monkey.funnystory.tech
seoul.lastpark.life

# Reference: https://twitter.com/ShadowChasing1/status/1368827485253627907
# Reference: https://www.virustotal.com/gui/file/e46887db62f3ee5583587531358e1b70cc8a171067fa4e1ae3e6693f7f9fc938/detection

koreacit.co.kr/skin/

# Reference: https://twitter.com/ShadowChasing1/status/1372464570183208961
# Reference: https://www.virustotal.com/gui/file/50d826640cc9ba66b789f0823f04308178b435f7eb39021bf7861061849f7efd/detection

inonix.co.kr/kor/board/widgets/mcontent/skins/tmp

# Reference: https://twitter.com/ShadowChasing1/status/1372537353311449091

waels.onlinewebshop.net/st/

# Reference: https://twitter.com/Xxx_8885/status/1373888922179170305
# Reference: https://twitter.com/Xxx_8885/status/1373889297414123521
# Reference: https://www.virustotal.com/gui/file/a030873cf5a9b8c76740a1ba9a4d28fc7acf4ce71ebebbe33a46be372f551004/detection
# Reference: https://www.virustotal.com/gui/file/a56163d758cd4a0a00e0991b7a4aecab35fdecb59df6d1821488826f8b37d7b9/detection
# Reference: https://www.virustotal.com/gui/file/e532685d362475dd3dec1aacedff87c7b32ec3573714a9f56ac87905fa13d66c/detection
# Reference: https://www.virustotal.com/gui/file/00bbab408dbc5c1a95143f75c282a74dddd5a87df533d7d198c1fc7eb2138269/detection
# Reference: https://www.virustotal.com/gui/file/a2465f753ff409cbd036cc0235704e3f49d9a52b8e4e2bc812428d7c8ea6f32b/detection

http://200.200.200.200/test/v.php
eucie091.myartsonline.com
eucie09111.myartsonline.com
ftcpark59.getenjoyment.net

# Reference: https://twitter.com/blackorbird/status/1377218251344633856
# Reference: https://twitter.com/RedDrip7/status/1377217232573321220

policy.webofknowledg.com
usamilitarysavings.webofknowledg.com
webofknowledg.com

# Reference: https://twitter.com/ShadowChasing1/status/1377841916948082689
# Reference: https://www.virustotal.com/gui/file/873b8fb97b4b0c6d7992f6af15653295788526def41f337c651dc64e8e4aeebd/detection
# Reference: https://www.virustotal.com/gui/file/4a1c43258fe0e3b75afc4e020b904910c94d9ba08fc1e3f3a99d188b56675211/detection

pcsecucheck.scienceontheweb.net

# Reference: https://twitter.com/ShadowChasing1/status/1377900770629099530
# Reference: https://www.virustotal.com/gui/file/3dd9628b3f92a1f8c340e546343c1c1448de94212a9c19e83cae661eba2d1b37/detection

beilksa.scienceontheweb.net

# Reference: https://twitter.com/mg2_tracy1/status/1379269472926638081
# Reference: https://www.virustotal.com/gui/file/b89e79ee9c4834177cbabba9b265910a6a55c7defd2863cc1699753dbfa342b8/detection

baboivan.scienceontheweb.net

# Reference: https://twitter.com/h2jazi/status/1380510153397637127
# Reference: https://www.virustotal.com/gui/file/e6f0d7e114c04017b07f321ba4df440ff55718ef451b1a3cb0f1c0856bd1c86e/detection

pc.ac-kr.esy.es

# Reference: https://twitter.com/ShadowChasing1/status/1382509560179531782
# Reference: https://www.virustotal.com/gui/file/e7fae41c0bd8d3d95253bd75dce99015599ecc404bd8d737cec305fc3e4dd018/detection

wbg0909.scienceontheweb.net

# Reference: https://twitter.com/AnonySecAgency/status/1383241650319683590
# Reference: https://www.virustotal.com/gui/file/92b9933f3477241ffd92d0f76ef0dcf46730209a1ecab7eceb399d540530799f/detection

cuinm.huikm.kro.kr

# Reference: https://twitter.com/HONKONE_K/status/1386152816545128450
# Reference: https://www.virustotal.com/gui/file/4252c0b130be39bf2258c84c436c17babfd650b6d665ac6c4e050f87fe34e46e/detection

pootball.medianewsonline.com

# Reference: https://twitter.com/ShadowChasing1/status/1388522768111656963
# Reference: https://www.virustotal.com/gui/file/f8e972a26117bd14f5ec4dca9de0244d0bfd29bbbfd9104b2ccdc49fa93416d8/detection

ikpoo.cf
onedrive-upload.ikpoo.cf

# Reference: https://twitter.com/ShadowChasing1/status/1388529890614341635
# Reference: https://www.virustotal.com/gui/file/2365a48f7d6cf6dcc83195f06ea11b93c955c3a491c60b50ba42788917ba22e2/detection

riseknite.life
download.riseknite.life

# Reference: https://mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w

travelmountain.ml
alps.travelmountain.ml

# Reference: https://twitter.com/h2jazi/status/1390734706103234561
# Reference: https://twitter.com/ShadowChasing1/status/1391620287024668679
# Reference: https://www.virustotal.com/gui/file/622cb6a772b0034f741aa58a50f1155a2a4240021c929d90fbed4182877fa579/detection
# Reference: https://www.virustotal.com/gui/file/2ed6b0e116a50ee9be7ac74b7be0e73ac4aeb15ddb9b42a1db5bcfba4dccdead/detection

mechapia.com/_admin/nicerlnm/web/style/list.php
mechapia.com/_admin/nicerlnm/web/style/css/

# Reference: https://twitter.com/ShadowChasing1/status/1391618560753999872
# Reference: https://twitter.com/ShadowChasing1/status/1391622743146188800
# Reference: https://www.virustotal.com/gui/file/2365a48f7d6cf6dcc83195f06ea11b93c955c3a491c60b50ba42788917ba22e2/detection
# Reference: https://www.virustotal.com/gui/file/fa4d05e42778581d931f07bb213389f8e885f3c779b9b465ce177dd8750065e2/detection
# Reference: https://www.virustotal.com/gui/file/2c796053053a571e9f913fd5bae3bb45e27a9f510eace944af4b331e802a4ba0/detection

chollian.ml
daom.ml
daum-accounts.cf
gmail-account.gq
gmrail.ml
grnail-login.ml
kisa-security.cf
letterpaper.press
live-sign.ml
natesec-page.ml
naver-security.cf
navor.ml
pcjindustries.com
riseknite.life
secure-dm.tk
seoul-kor.ml
seoul-kor.tk
travelmountain.ml
alps.travelmountain.ml
check.kisa-security.cf
download.riseknite.life
login.daum-accounts.cf
login.gmail-account.gq
login.live-sign.ml
login.natesec-page.ml
login.secure-dm.tk
logins.daom.ml
logins.daum-accounts.cf
new.seoul-kor.ml
nid-nav.navor.ml
nids.naver-security.cf
nids.navor.ml
outlook.seoul-kor.tk
signin.chollian.ml
signin.gmrail.ml
signin.grnail-login.ml
texts.letterpaper.press
webmail.pcjindustries.com

# Reference: https://twitter.com/sS55752750/status/1391765099992453125

flagguarder.site
glow.flagguarder.site

# Reference: https://twitter.com/h2jazi/status/1392128092840284164
# Reference: https://www.virustotal.com/gui/file/85847cad7f57db4534634d51f7e2c74a23719fcf74c891872d98e7c921f0fd56/detection

rukagu.mypressonline.com

# Reference: https://twitter.com/cyberwar_15/status/1392376928624013312

daum-attach.ddns.net

# Reference: https://twitter.com/ShadowChasing1/status/1392284742163206146

yes24-mart.pe.hu

# Reference: https://twitter.com/ShadowChasing1/status/1394911946118295553
# Reference: https://twitter.com/ShadowChasing1/status/1394911948353859585
# Reference: https://www.virustotal.com/gui/file/9ba5266d806df037acb1144836c21b70c5fc0aa6820d2ce07ee28accdff6c9bf/detection

follcdn.myartsonline.com
sima.atspace.tv

# Reference: https://twitter.com/ShadowChasing1/status/1395684553507840003

yanggucam.designsoup.co.kr/user/views/board/skin/secret/css/list.php

# Reference: https://twitter.com/h2jazi/status/1395782753765974023

samsoding.homm7.gethompy.com/plugins/dropzone/min/css/list.php

# Reference: https://twitter.com/m0br3v/status/1399637361697378306
# Reference: https://twitter.com/ShadowChasing1/status/1399753970839547910
# Reference: https://www.virustotal.com/gui/file/fe1a734019f0dc714bd3360e2369853ea97c02f108afe963769318934470967b/detection

at-me.ml
kt1kreate.cf
ahn-lab.cf
snubh.r-e.kr
shore.ml
snu-h.ml
kumb.cf
naver-login.cf
naver-check.ml
snuh.r-e.kr
app.at-me.ml
sms.kt1kreate.cf
v3.ahn-lab.cf
mail.snubh.r-e.kr
anto.shore.ml
smtp.snu-h.ml
mail.kumb.cf
help.naver-login.cf
mail.naver-check.ml
mail.snuh.r-e.kr

# Reference: https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
# Reference: https://otx.alienvault.com/pulse/60b66cda1f2d210aa677cfbe

gmail-account.gq
gmrail.ml
goggle.hol.es
googgle.kro.kr
google-manager.ga
google-signin.ga
grnail-login.ml
grnail-signin.ga
grnail-signing.work
ikpoo.cf
kr-infos.com
letterpaper.press
microsoft-office.us
mygoogle-signin.ga
mygrnail-security.work
mygrnail-signin.ga
mygrnail-signing.work
riseknite.life
travelmountain.ml
account.googgle.kro.kr
account.grnail-signin.ga
accounts.goggle.hol.es
accounts.google-manager.ga
accounts.google-signin.ga
accounts.grnail-signin.ga
accounts.grnail-signing.work
alps.travelmountain.ml
download.riseknite.life
login.gmail-account.gq
login.gmeil.kro.kr
myaccount.google-signin.ga
myaccount.google.newkda.com
myaccount.google.nkaac.net
myaccount.grnail-security.work
myaccount.grnail-signin.ga
myaccount.grnail-signing.work
myaccounts-gmail.autho.co
myaccounts-gmail.kr-infos.com
myaccounts.grnail-signin.ga
ns1.microsoft-office.us
ns2.microsoft-office.us
onedrive-upload.ikpoo.cf
protect.grnail-signin.ga
signin.gmrail.ml
signin.grnail-login.ml
texts.letterpaper.press
wscript.shell.run

# Reference: https://twitter.com/360CoreSec/status/1401863232835383302
# Reference: https://www.virustotal.com/gui/file/811b42bb169f02d1b0b3527e2ca6c00630bebd676b235cd4e391e9e595f9dfa8/detection

alyssalove.getenjoyment.net
smyun0272.blogspot.com

# Reference: https://twitter.com/ShadowChasing1/status/1402239834819743746
# Reference: https://www.virustotal.com/gui/file/934731692b12fd182acbc698dd3f8ef59984aa4e7ef56e124f9851852878817e/detection

manct.atwebpages.com

# Reference: https://twitter.com/h2jazi/status/1402267704610988033
# Reference: https://www.virustotal.com/gui/file/c362b4cb60edfa5bf17123845e59311335b03139d77ec27b9a9ffb7b31e60154/detection

quarez.atwebpages.com

# Reference: https://twitter.com/arphanetx/status/1403765541739941889
# Reference: https://www.virustotal.com/gui/file/9dac6553b89645ac8d9e0a3dc877d12641e6d05fb52e8de6ae5533b2bdf0abc9/detection

pollor.p-e.kr

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/Kimsuky%20APT%20Group%20targeted%20on%20South%20Korean%20defense%20and%20security%20departments.pdf

amikbvx.cf
at-me.ml
atooi.ga
bnmvg.cf
daum-or.ml
daum-vpn.ml
daums.cf
dmaccount.ml
gommi.ml
kakaoo.ml
kititi.ga
kumb.cf
may3.cf
nate-on.ml
nate-or.ga
naver-check.ml
onehappy.ml
outlookin.ml
pamik.cf
shore.ml
uhuioo.cf
wowow.ga
xdtgh.ga
yes24-mart.pe.hu
admin.daum-or.ml
anto.shore.ml
ao.nate-on.ml
app.at-me.ml
app.gommi.ml
apple.may3.cf
auth.daum-or.ml
dnhji.bnmvg.cf
exchange.amikbvx.cf
gate.uhuioo.cf
gom.kititi.ga
helper.onehappy.ml
imap.pamik.cf
mail.daums.cf
mail.dmaccount.ml
mail.kakaoo.ml
mail.kumb.cf
mail.naver-check.ml
mail.outlookin.ml
mail3.nate-or.ga
member.dmaccount.ml
members.daum-vpn.ml
owo.owo.wowow.ga
qygbn.xdtgh.ga
vpn.atooi.ga

# Reference: https://twitter.com/fuuuing_/status/1393102998532886531

fabre.myartsonline.com

# Reference: https://twitter.com/TeamT5_Official/status/1410206100033400838
# Reference: https://biz.chosun.com/policy/politics/2021/06/18/V4DTFCEXPRA4DFCBVVJO3DPR5I/ (Korean)
# Reference: https://www.virustotal.com/gui/ip-address/27.102.106.48/relations
# Reference: https://www.virustotal.com/gui/ip-address/27.102.107.63/relations
# Reference: https://www.virustotal.com/gui/ip-address/27.102.112.49/relations
# Reference: https://www.virustotal.com/gui/ip-address/27.102.114.89/relations

boryung.tk
cdaum.kro.kr
celltrion.ml
cimoon.ml
claum.ml
cloudmall.club
cnaver.kro.kr
csdaum.ga
dongguk.kro.kr
home-info.ml
jbnu.info
jbnu.ml
lottebp.ga
minia.ml
naver-in.ml
nhnems.nsec.kro.kr
nidcorp.n-e.kr
novavax.ml
nsec.nhnems.kro.kr
nsuites.ga
pagelock.host
uni-korea.ga
uni-tuebingen.buzz
uni-tuebingen.cf
xonate.kro.kr
admin.claum.ml
admin.naver-in.ml
alarm.naver-in.ml
aol.pagelock.host
app.seoul.minia.ml
celltrion.cloudmall.club
daum.home-info.ml
exchange.uni-tuebingen.buzz
exchange.uni-tuebingen.cf
helper.uni-korea.ga
home.xonate.kro.kr
its.jbnu.ml
mail.celltrion.ml
mail.naver-in.ml
mail.novavax.ml
manager.naver-in.ml
member.cdaum.kro.kr
member.csdaum.ga
member.daum.home-info.ml
member.dongguk.kro.kr
myinfo.cnaver.kro.kr
nhn.nsuites.ga
nhnems.nsec.kro.kr
nid.naver.home-info.ml
nidcorp.nsuites.ga
nidlogin.nidcorp.n-e.kr
nsec.nhnems.kro.kr
onedrive-upload.ikpoo.cf
onedrive.ikpoo.cf
user.lottebp.ga
user.naver-in.ml

# Reference: https://twitter.com/ShadowChasing1/status/1410887216956547076

atooi.ga
gommi.ml
kumb.cf
onono.ml
uhuioo.cf
app.gommi.ml
gate.uhuioo.cf
mail.kumb.cf
vpn.atooi.ga
go.onono.ml

# Reference: https://twitter.com/h2jazi/status/1411826239455760387
# Reference: https://www.virustotal.com/gui/file/79848ca15ec49057261b6ba52275692d131b8dd034ae9a4cca1e1b81d9e18b77/detection

chels.mypressonline.com

# Reference: https://twitter.com/k3yp0d/status/1415652277914939393

tbear.mypressonline.com

# Reference: https://twitter.com/higefox/status/1411884786323361792
# Reference: https://asec.ahnlab.com/ko/24834/
# Reference: https://asec.ahnlab.com/ko/25351/
# Reference: https://otx.alienvault.com/pulse/60f125c78978e02a40e00c85

benze.atwebpages.com
btige.myartsonline.com
ccav.myartsonline.com
chels.mypressonline.com
giruz.atwebpages.com
jupit.getenjoyment.net
lieon.mypressonline.com
lovel.myartsonline.com
lovels.myartsonline.com
mantc.getenjoyment.net
modri.myartsonline.com
obser.mygamesonline.org
ranso.myartsonline.com
rster.atwebpages.com
stair.atwebpages.com
stair.myartsonline.com
vbqwer.mypressonline.com
visul.myartsonline.com
warcr.onlinewebshop.net

# Reference: https://twitter.com/h2jazi/status/1417093562278240256
# Reference: https://www.virustotal.com/gui/file/d3138e7b0dcf5e916834b045c1b006a1cd223dca75626bd1354b47dbd0c63ae2/detection

1213rt.atwebpages.com

# Reference: https://twitter.com/fuuuing_/status/1417426427528417283

kimshan600000.blogspot.com

# Reference: https://mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ
# Reference: https://otx.alienvault.com/pulse/60ffcd56a7dc0038376fe52e

worldinfocontact.club
alyssalove.getenjoyment.net
hanlight.mygamesonline.org
kr2959.atwebpages.com
majar.medianewsonline.com
samsoding.homm7.gethompy.com
anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm
beilksa.scienceontheweb.net/cookie/select/log/tmp
beilksa.scienceontheweb.net/cookie/select/log/list.php
cwda.co.kr/theme/basic/skin/new/basic/update/Normal.dotm
cwda.co.kr/theme/basic/skin/new/basic/update/list.php
heritage2020.cafe24.com/plugin/kcpcert/bin/list.php
inonix.co.kr/kor/board/widgets/mcontent/skins/tmp
inonix.co.kr/kor/page/product/_notes/list.php
inonix.co.kr/kor/page/product/_notes/tmp/
koreacit.co.kr/skin/new/basic/update/temp
mechapia.com/_admin/nicerlnm/web/style/list.php
miracle.designsoup.co.kr/user/views/resort/controller/css/update/list.php
nuclearpolicy101.org/wp-admin/includes/0421/d.php
reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php
yanggucam.designsoup.co.kr/user/views/board/skin/secret/css/list.php

# Reference: https://twitter.com/360CoreSec/status/1423561133873537024
# Reference: https://www.virustotal.com/gui/file/cd9421c332a2b90b26152f0e85a7db621306cd1daa70f30af3210895d2aeb577/detection

rhwkdlaktm.atwebpages.com

# Reference: https://twitter.com/ShadowChasing1/status/1446270087506194432
# Reference: https://www.virustotal.com/gui/file/82067ef8b907888f9fc27dd0630c37c95b0a55a7c225fb2d693115c41c7dd5be/detection

greatname.000webhostapp.com

# Reference: https://twitter.com/ShadowChasing1/status/1446278566564433939
# Reference: https://www.virustotal.com/gui/file/32beeda8cffc2ecc689ea2529194cf806955879a334ec68176864d1e6c09800c

youtoboo.kro.kr
movie.youtoboo.kro.kr

# Reference: https://twitter.com/ShadowChasing1/status/1446272122058280963

navercheck.kro.kr
nidlogin.navercheck.kro.kr

# Reference: https://twitter.com/ShadowChasing1/status/1446271028481593365
# Reference: https://www.virustotal.com/gui/file/db88dc539bccce8c30e3ba6897171989c9a340f23075c614f3c5a73ae0160db1

tigerwood.tech
ppahjcz.tigerwood.tech

# Reference: https://twitter.com/ShadowChasing1/status/1446270634690895872
# Reference: https://www.virustotal.com/gui/file/324b2e2c0471e49c7cc07725a7d748041479714d265ec6dbf386edd3f619f03c

requests.p-e.kr
ping.requests.p-e.kr

# Reference: https://twitter.com/ShadowChasing1/status/1446269684072914946
# Reference: https://www.virustotal.com/gui/file/8e263345cfeda4eb6720c47d4eaaee236be294fda693d840199f221d6e1412c6

beast.16mb.com

# Reference: https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html

44179d6df22c56f339bf.blogspot.com
4b758c2e938d65bee050.blogspot.com
akf4tvrbmg.blogspot.com
amfuz2h5b2s.blogspot.com
byun70kh.mygamesonline.org
gyzang0826.blogspot.com
gyzang1.blogspot.com
gyzang58.blogspot.com
gyzang681.blogspot.com
gyzang682.blogspot.com
kimshan600000.blogspot.com
o61666ch.getenjoyment.net
pjeu1urxdnvef6twpveg.blogspot.com
rrmu1qrxdoekv6twc9pq.blogspot.com
smyun0272.blogspot.com
t22a44es.atwebpages.com
tvrbmkxqstbouzq0twk0ee9uaz0.blogspot.com
tvrfekxqrtvpqzr5tvrfdu5evt0.blogspot.com
tvrfeuxqrtfnqzr4t0m0ee5utt0.blogspot.com
twpbekxqsxpoqzr4txpvdu1uyzu.blogspot.com
vev4tkrrpq.blogspot.com
vgn5tvrrpq.blogspot.com
vgt5tvrnpq.blogspot.com

# Reference: https://twitter.com/h2jazi/status/1465402736996933640

3a8f846675194d779198.blogspot.com
0knw2300.mypressonline.com
faust22.mypressonline.com

# Reference: https://www.virustotal.com/gui/file/cb88d365011dce926afb1c04e6973f3d3db7135dd67d738e281f3690b8d9e6ef/detection

kr3753.atwebpages.com

# Reference: https://twitter.com/souiten/status/1473862308132651011

jinu1353.scienceontheweb.net

# Reference: https://twitter.com/souiten/status/1457946934623150090
# Reference: https://www.virustotal.com/gui/file/0cfa89348dc6007c89852907e464f3e91060e83665d6d62243be225c0e2e44a9/detection

gosiweb.gosiclass.com/m/gnu/convert/default/8ef014a/list.php

# Reference: https://twitter.com/Timele9527/status/1425640885811777542

helpnid.com

# Reference: https://twitter.com/cyberwar_15/status/1478572625291276291

com-trace.space
confirm-pw.link
navers.online
navers.store
navers.website
net-pass.store

# Reference: https://twitter.com/souiten/status/1472757875839619079
# Reference: https://www.virustotal.com/gui/file/2ef30a004e68213faa8cfef567af2292ff03f8ea9f273ae1c9c2b7845ba6ea87/detection

zippe.myartsonline.com

# Reference: https://blog.alyac.co.kr/3228?category=957259 (Korean)

pingguo2.atwebpages.com
ramble.myartsonline.com

# Reference: https://asec.ahnlab.com/ko/26183/
# Reference: https://otx.alienvault.com/pulse/6110fe0ab195f83ceb72fcff

dkekftks.atwebpages.com
dktkglrkshqhfn.atwebpages.com
tktlal2.atwebpages.com
tktlal3.atwebpages.com
tksRpdl.atwebpages.com

# Reference: https://twitter.com/ShadowChasing1/status/1482976392958865413

gooeglle.mypressonline.com

# Reference: https://twitter.com/cyberwar_15/status/1485607323154644999

bigfilemail.net
cmaildown.lovestoblog.com
msgbugreporting.lovestoblog.com
/wwwppp/index2.php

# Reference: https://twitter.com/ShadowChasing1/status/1489054323946319876
# Reference: https://www.virustotal.com/gui/file/5d25e53b59bd2dcf234c6819f8cd294efe6d943d04625b9d575002362794e74a/detection

com-info.store
ms-work.com-info.store

# Reference: https://twitter.com/jaydinbas/status/1493522324011851776
# Reference: https://www.virustotal.com/gui/file/3ca7067d60ee47be7448da74be7dab23699cda64cac7ed0cd7a2d219875cb902/detection

asenal.medianewsonline.com

# Reference: https://twitter.com/s1ckb017/status/1493907536117964802
# Reference: https://www.virustotal.com/gui/file/1fa38bd7a3d6a7b73ac4893bb7edc04fb3f56dcfad3b3e6b3fa6d4729add22e2/detection

byusunity.000webhostapp.com

# Reference: https://twitter.com/ShadowChasing1/status/1500778382966939653
# Reference: https://www.virustotal.com/gui/ip-address/161.97.100.171/relations

com-checking.link
com-pass.online
com-password.link
com-silver.site
jp-check.online
naver-active.online
certificate.medis.navers.store
com.com-pass.online
daum.confirm-pw.link
downfile.mybox.com-password.link
downfile.naver.com-pass.online
medis.navers.store
moue.naver-active.online
ms-work.com-pass.online
ms-work.com.com-pass.online
mybox.com-password.link
myetherwallet.com-checking.link
naver.com-pass.online
naver.com-silver.site
navers.com-checking.link
navers.com-silver.site
naverwebs.com-password.link
navrenewal.confirm-pw.link
neaply.naver-active.online
nib.com-checking.link
nic.navers.com-checking.link
nid.moue.naver-active.online
nid.naver-active.online
nid.navers.com-checking.link
nid.navers.confirm-pw.link
nid.navrenewal.confirm-pw.link
nid.neaply.naver-active.online
nld.naverwebs.com-password.link
nld.neaply.naver-active.online
nld.thus.navers.com-checking.link
nood.navers.jp-check.online
thus.navers.com-checking.link
uid.navers.com-silver.site

# Reference: https://www.virustotal.com/gui/file/0b2db410c50d9e4eb7e88177c463be3da5fff5527d9dc2ae10fa26ebe2721ef1/detection

healerboy.000webhostapp.com

# Reference: https://twitter.com/cyberwar_15/status/1507270188882067460

mailnotification.xyz
naveruser.com
nid.naver.com.pe
pay.naver.com.pe
report.mailnotification.xyz
star.mailnotification.xyz

# Reference: https://twitter.com/s1ckb017/status/1507316584079142915
# Reference: https://www.virustotal.com/gui/file/af6b98cabdaf0e3f12fd32509c6b99c141ce59bd73019730d85f66f41ca399da/detection

hannarng.kro.kr
update.hannarng.kro.kr

# Reference: https://twitter.com/souiten/status/1514440361887690753
# Reference: https://www.virustotal.com/gui/file/f28d087adb5f959c62e318d0a3c4639df5513781587aa46bb8df2521f7970ac5/detection

manage-box.com

# Reference: https://twitter.com/souiten/status/1519167359918911488
# Reference: https://www.virustotal.com/gui/file/2f7f3a86a868f6c5a85fb12fe028fd254cd9622075b179923187461c72d6aea0/detection

dusieme.com

# Reference: https://twitter.com/ShadowChasing1/status/1519514517465485312

uekaf.myartsonline.com

# Reference: https://twitter.com/InQuest/status/1521136176530436098
# Reference: https://www.virustotal.com/gui/file/5ed36771ac803408325326322f6909e8f768ed9a4c9e98217a82a66f71e7627d/detection

leehr36.mypressonline.com

# Reference: https://twitter.com/jaydinbas/status/1521408843774844929

weworld59.myartsonline.com

# Reference: https://twitter.com/h2jazi/status/1521906180553068546
# Reference: https://www.virustotal.com/gui/file/0e9689ea8056e3016ccc7fbfed31d8566403f394b68aceb69fb1a3dfec6b6f09/detection
# Reference: https://www.virustotal.com/gui/file/4b0202a8452fe202d25fc5c75aabef3ae52083d2edb7f57cbde02a1bca02a028/detection

attach.mail.daum.net/bigfile/v1/urls/d/exeuQzisacbcTtb5my1snadAn5Q/8nrA37fWtx1JOg3Vo6Jufg
attach.mail.daum.net/bigfile/v1/urls/d/6akA_Jg1Chbl_TcCTytJJQk4mfE/-z8Vw6BjxQC7ds4lmMKxpA

# Reference: https://twitter.com/BlackLotusLabs/status/1524012722622386176
# Reference: https://twitter.com/BlackLotusLabs/status/1524012726133178374
# Reference: https://www.virustotal.com/gui/file/99e58217d03645fe15ae19476554965e93e3d5f50deb85b515eb5543573f9007/detection

trueliebe.com

# Reference: https://asec.ahnlab.com/en/34694/
# Reference: https://twitter.com/malwrhunterteam/status/1525046722120097798
# Reference: https://twitter.com/ShadowChasing1/status/1525070825480949761
# Reference: https://www.virustotal.com/gui/file/2c20ac485fd55bd1a5c4b75c5ba521e5b19912325737617178dfcb5a4e408aef/detection

mc.pzs.kr/themes/mobile/images/about/temp/attach
mc.pzs.kr/themes/mobile/images/about/temp/upload
mc.pzs.kr/themes/mobile/images/about/temp/upload/lib.php
mc.pzs.kr/themes/mobile/images/about/temp/upload/list.php
mc.pzs.kr/themes/mobile/images/about/temp/attach/attach.docx

# Reference: https://asec.ahnlab.com/ko/34883/
# Reference: https://otx.alienvault.com/pulse/629714934cca82a7351d5254

fedra.p-e.kr
leomin.dothome.co.kr
printware2.000webhostapp.com

# Reference: https://twitter.com/blackorbird/status/1534127714336055296

ielsems.com
worldinfocontact.club

# Reference: https://twitter.com/cyberwar_15/status/1536865901899022336

cloudfiles.epizy.com
clouds.great-site.net
fils.clouds.great-site.net
joongang.epizy.com
daum.cloudfiles.epizy.com
kakao.cloudfiles.epizy.com
khu.cloudfiles.epizy.com
konkuk.cloudfiles.epizy.com
naver.cloudfiles.epizy.com
snu.cloudfiles.epizy.com

# Reference: https://twitter.com/cyberwar_15/status/1550740560033779713
# Reference: https://twitter.com/cyberwar_15/status/1547107301949308928

cdndaum.online
marsus.online
navecom.website
naveos.online
naveos.tokyo
naver-sec.site
navow.website
nonghyup.website
oneearthfuture.online 
private-banking-group.com
sslnaver.online
unifiedworldwideexpress.com
cood.nonghyup.website
nid.nonghyp.com-checking.link
nld.naveos.tokyo
noid.naveos.online
nong.navow.website

# Reference: https://twitter.com/h2jazi/status/1551566274664300544
# Reference: https://www.virustotal.com/gui/file/e59f0aa13e2da2a0cd5c07e882014d9b37927b9bd9a493f83c2bcb103e5a739c/detection

asssambly.mywebcommunity.org

# Reference: https://twitter.com/blackorbird/status/1552846355613097984
# Reference: https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
# Reference: https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/indicators.csv

gonamod.com
siekis.com
worldinfocontact.club

# Reference: https://twitter.com/Des00464472/status/1550410336364527616

aire.us.to

# Reference: https://twitter.com/Des00464472/status/1529321196231487488

naverauthority.com

# Reference: https://twitter.com/Des00464472/status/1408013493358391296

preledd.club

# Reference: https://twitter.com/Des00464472/status/1554308879139618817

protect-team.n-e.kr
mail.protect-team.n-e.kr

# Reference: https://twitter.com/cyberwar_15/status/1559744857023062017

net-all.website
daum.net-all.website
kakao.net-all.website
onedrive.net-all.website
yahodrive.net-all.website
yandex.net-all.website

# Reference: https://twitter.com/PhantomXSec/status/1561490582513496064

bybitesupport.com
drivergooogles.com
kakaosupport.com

# Reference: https://twitter.com/PhantomXSec/status/1561738109884059649
# Reference: https://www.virustotal.com/gui/ip-address/51.195.155.36/relations

navericorp.com
nid.navericorp.com
avlinkt.online
avlinkx.online
avlinky.online
avlinkz.online
cutalink.store
cutblink.store
cutclink.shop
cutdlink.shop
linkurla.online
linkurlb.online
linkurlc.online
linkurld.online
midalink.live
midamain.shop
midaurl.site
midaurl.tech
midblink.xyz
midbmain.shop
midburl.site
midburl.tech
midclink.xyz
midcmain.click
middmain.click
movelinka.online
movelinkb.online
movelinkc.online
movelinkd.online
navurla.tech
netalink.space
netblink.space
netclink.store
netdlink.store
nilinks.online
nilinkt.online
nilinku.online
nlinka.link
nlinka.online
nlinkb.link
nlinkb.online
nlinkc.link
nlinkc.online
nlinkd.link
nlinkd.online
nlinke.link
nredia.tech
nredib.link
nredic.link
nredid.link
nredie.link
nredif.link
nredif.live
nredig.link
nredirea.live
nredireb.live
nredirec.live
nredirecti.tech
nredirectj.tech
nredirectk.tech
nredired.live
nserva.link
nserva.live
nservb.link
nservb.live
nservc.link
nservc.live
nservd.link
nservd.live
nserve.live
nshortlinka.live
nshortlinkb.live
nshortlinkc.live
nshortlinkd.live
nshortlinke.live
nurla.link
nvurli.online
nvurlu.online
nvurly.online
reashow.live
rebshow.live
recshow.live
redalink.xyz
redclink.xyz
redelink.tech
redflink.tech
redireact.online
redirebct.online
redirecct.online
rediurla.live
rediurlb.live
rediurlc.live
rediurld.live
redomain.info
redombin.info
redserva.online
redservb.online
redservc.online
redservd.online
redshow.live
shortacut.tech
shortanet.click
shortaurl.site
shortbcut.tech
shortbnet.click
shortburl.site
shortccut.info
shortcurl.site
shortcuta.online
shortcuta.xyz
shortcutb.online
shortcutb.xyz
shortcutc.online
shortcutc.xyz
shortcutd.online
shortcutd.xyz
shortdcut.info
shortdurl.site
shortlinka.xyz
shortlinkb.xyz
urlalink.info
urlblink.info
urlclink.info
urldlink.info
help.nredid.link
port.movelinkb.online
port.nredig.link
port.nservc.link
port.nservc.live
port.nshortlinke.live
port.redserva.online
postgres.nlinkd.online

# Reference: https://twitter.com/RedDrip7/status/1562282889693126659
# Reference: https://www.virustotal.com/gui/file/6a435e2aab6dce39d626eacb39fc964967e35e94abf513da0f6511ab7b1f826e/detection

uppgrede.scienceontheweb.net

# Reference: https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

225b4d3c305f43e1a590.blogspot.com
3a8f846675194d779198.blogspot.com
c52ac2f8ac0693d8790c.blogspot.com
leejong-sejong.blogspot.com
21nari.getenjoyment.net
21nari.mypressonline.com
21nari.scienceontheweb.net
attach.42web.io
attachment.a0001.net
bigfile.totalh.net
chmguide.atwebpages.com
chunyg21.sportsontheweb.net
clouds.rf.gd
glib-warnings.000webhostapp.com
global.onedriver.epizy.com
global.web1337.net
hochdlincheon.mypressonline.com
hochuliasdfasfdncheon.mypressonline.com
hochulidncheon.mypressonline.com
hochulincddheon.mypressonline.com
hochulincheon.mypressonline.com
hochulindcheon.mypressonline.com
hochulindddcheon.mypressonline.com
hochulinsfdgasdfcheon.mypressonline.com
koreajjjjj.atwebpages.com
koreajjjjj.sportsontheweb.net
kpsa20201.getenjoyment.net
leehr24.mywebcommunity.org
weworld78.atwebpages.com
weworld79.mygamesonline.org
yulsohnyonsei.atwebpages.com
yulsohnyonsei.atwewbpages.com
yulsohnyonsei.medianewsonline.com

# Reference: https://twitter.com/RedDrip7/status/1563074487452848128
# Reference: https://www.virustotal.com/gui/ip-address/216.189.154.6/relations
# Reference: https://www.virustotal.com/gui/file/7903bdf0976d5c6f3c28abf40c41414380f4494a8bf72af9e27ff810599faaf2/detection
# Reference: https://www.virustotal.com/gui/file/f63ff642e7025db96d6ebbd6da26aa9cece4f132891ce2a8385d7c034a7ead25/detection
# Reference: https://www.virustotal.com/gui/file/db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe/detection

accountverify.hmail.us
office.pushitlive.net
qwert.mine.bz

# Reference: https://twitter.com/Jup1a/status/1562720823869583360
# Reference: https://www.virustotal.com/gui/file/a0fddbb638fc4f3ba4cefc0707226e8c01eefd98f78d6a9b4fbca1ba74b21adf/detection

sectionss.scienceontheweb.net

# Reference: https://twitter.com/Des00464472/status/1564151538553352193
# Reference: https://www.virustotal.com/gui/ip-address/210.16.120.163/relations

xxdzts.com
autoconfig.xxdzts.com
autodiscover.xxdzts.com
mail.xxdzts.com

# Reference: https://twitter.com/ShadowChasing1/status/1568061411011760129

aasssambly.mywebcommunity.org

# Reference: https://twitter.com/PhantomXSec/status/1567738114638237697
# Reference: https://twitter.com/PhantomXSec/status/1567733296083398656
# Reference: https://www.virustotal.com/gui/ip-address/27.255.81.84/relations
# Reference: https://virustotal.com/gui/ip-address/61.97.251.247/relations

daum-master.com
daum-security.com
daurn.net
help-naver.com
naver-edoc.com
naver-edocu.com
naveradmin.center
naverc0rp.com
navercorp.date
navernail.eu
naverscenter.com
naverssl.com
sec-naver.com
6xv2abhu1nc0.help-naver.com
6xv2abhu1nc0.sec-naver.com
7nv42j9qxt140.help-naver.com
7nv42j9qxt140.sec-naver.com
ad.daurn.net
cafe.daurn.net
gud2abhu1nc0.help-naver.com
gud2abhu1nc0.sec-naver.com
m.cafe.daurn.net
nid.naverssl.com
nidiogin.naverc0rp.com
nidlogin.naverc0rp.com
nidlogin.navercorp.date
nids.naverscenter.com
ns.naverssl.com
rcaptcha.help-naver.com
rcaptcha.sec-naver.com
sks1.smartvpn.pe.kr
smartvpn.pe.kr
static.help-naver.com
static.sec-naver.com
uns.naverssl.com
wat.ad.daurn.net

# Reference: https://twitter.com/cyberwar_15/status/1567828108790890498

certuser.info
koreailmin.com

# Reference: https://twitter.com/PhantomXSec/status/1566863825999400960
# Reference: https://www.virustotal.com/gui/ip-address/38.132.122.162/relations

accounts-kakao.date
cds.naver2.info
com2.space
com3.top
hello.naver2.info
help2.top
help2.xyz
member2.download
naver-corp.top
naver-corp.xyz
naver.com3.top
naver.help2.xyz
naver.member2.download
naver2.eu
naver2.info
naver2.space
naver2.top
naver2.xyz
naver3.space
naver3.xyz
naver4.info
navercorp.top
navercorp.world
navercorp1.xyz
navercorp2.space
navercorp2.top
navercorp2.xyz
navercorp3.xyz
naverpwd.space
naverpwd.top
naverpwd.world
naverpwd.xyz
nid-naver.top
ro.naver2.info
sync-t1.naver2.info
tm.naver2.info
us7lb-cdn.naver2.info

# Reference: https://twitter.com/Des00464472/status/1568885820031135744
# Reference: https://www.virustotal.com/gui/ip-address/104.128.239.16/relations

hiworks.ga
insopack.mcsoft.org
myclouds.r-e.kr
office.hiworks.ga
softmail.kro.kr
app.softmail.kro.kr
office.myclouds.r-e.kr

# Reference: https://twitter.com/ShadowChasing1/status/1570601703598338049
# Reference: https://www.virustotal.com/gui/file/d3930b2494f45bb2c169124d4a39308303b9e8e87043afc54327c1e2a378e4e0/detection

cuts.dothome.co.kr
napoyo.mypressonline.com

# Reference: https://twitter.com/Des00464472/status/1570558688267739138

navers.tech
confluence.navers.tech
myboxs.navers.tech
myboxes.navers.tech
nied.navers.tech
techmyboxes.navers.tech

# Reference: https://twitter.com/ShadowChasing1/status/1576944331050471425
# Reference: https://www.virustotal.com/gui/file/f03a7a96e3ce5e35dd52ce026266b68aa35301828f1d909d858658051371473d/detection

krinnsnail.sportsontheweb.net/file/upload/list.php

# Reference: https://twitter.com/ShadowChasing1/status/1580001848211410944
# Reference: https://www.virustotal.com/gui/file/e1c09e045af8b7301390cd9619e3cca7a96d9d2bba2b5fc3385a093f3d69b6b4/detection

wayna.myartsonline.com

# Reference: https://twitter.com/cyberwar_15/status/1585965668054073345

docxpcgle.epizy.com
imhyoj8.myartsonline.com

# Reference: https://twitter.com/souiten/status/1592758204198719488
# Reference: https://www.virustotal.com/gui/file/2e1aca8c86562cc52b8bee6ecc45dabb1c11ebba94c81b059d8859a1b263f1e7/detection

yundy.mypressonline.com

# Reference: https://twitter.com/cyberwar_15/status/1575476579639078913

attachnents.epizy.com
cloud.kcrea.rf.gd
ewha-cloud.epizy.com
clouds.kvongnum.rf.gd
files.khu.rf.gd

# Reference: https://asec.ahnlab.com/ko/42163/ (Korean)
# Reference: https://otx.alienvault.com/pulse/63766a570640a9c4b0bd052d

jojoa.mypressonline.com
okihs.mypressonline.com

# Reference: https://twitter.com/ThreatBookLabs/status/1593523949664493568

quickedit.o-r.kr
www1.quickedit.o-r.kr

# Reference: https://twitter.com/souiten/status/1603398380687790080
# Reference: https://www.virustotal.com/gui/file/b9dcf7fe7e8ba30d363a19c2c43fc3eea93d281b10f6ee89cffe2a3e533af442/detection

infotechkorea.com

# Reference: https://twitter.com/ThreatBookLabs/status/1607989665487032320

m6.p-e.kr

# Reference: https://asec.ahnlab.com/en/44680/
# Reference: https://otx.alienvault.com/pulse/63a5a4e0a2d0a650343cda1c

3.supports.o-r.kr
conf.simpleedit.n-e.kr
configment.p-e.kr
dashboard.quikveoriy.o-r.kr
digital.pepperbank.kro.kr
foward.viewpropile.p-e.kr
heungkukfire.p-e.kr
inglife.kro.kr
k-bank.o-r.kr
k-bank1.kro.kr
kakaosaving.kro.kr
kamco.kbloan.kro.kr
kamco.kbloan.r-e.kr
kamco.webs.kro.kr
kbank.o-r.kr
kbloan.r-e.kr
naver.o-r.kr
naver65.n-e.kr
nhlife.kro.kr
pepperbank.kro.kr
quikveoriy.o-r.kr
secure-edit.n-e.kr
simpleedit.n-e.kr
smartshinhan.kro.kr
supports.o-r.kr
tos.p-e.kr
user2list.kro.kr
viewpropile.p-e.kr
w1.user2list.kro.kr
w3.secure-edit.n-e.kr
webs.kro.kr
wvw1.user2list.kro.kr
wvw3.secure-edit.n-e.kr
wwv3.supports.o-r.kr
www2.configment.p-e.kr

# Reference: https://twitter.com/souiten/status/1614811574119849989
# Reference: https://www.virustotal.com/gui/file/4e5ef5933078edeb09fd7d44f90843f4a221c1754d9d15a39aded79416b40779/detection

ielsd.myartsonline.com

# Reference: https://asec.ahnlab.com/en/45658/
# Reference: https://otx.alienvault.com/pulse/63c81a99d295f5fc0e67b465

lifehelper.kr

# Reference: https://twitter.com/StopMalvertisin/status/1622820104236077056

hydrotec.co.kr/bbs/img/cmg/upload2/
hydrotec.co.kr/bbs/img/cmg/upload3/

# Reference: https://twitter.com/StopMalvertisin/status/1621390517249654785
# Reference: https://www.virustotal.com/gui/file/a2e6e833947a1d5c526c0c2d6943e35bad9cbe22b52a6f7013ab8c1de0aa2d31/detection

jooshineng.com
/gnuboard4/adm/img/ghp/up/

# Reference: https://twitter.com/StopMalvertisin/status/1620651498014404608
# Reference: https://www.virustotal.com/gui/file/38640d508c137d0e05c6d34d6bf5618095baed364482baef908fe1d7b2310e15/detection

hkisc.co.kr/gnuboard4/bbs/img/upload/list.php
/gnuboard4/bbs/img/upload/

# Reference: https://twitter.com/StopMalvertisin/status/1626528455289610241
# Reference: https://www.virustotal.com/gui/file/97516e5250e44461a479de391daa0538b9714346263577bcb61961c1991efb27/detection

globalinbest.com
/src/bbs/sec/img3/

# Reference: https://twitter.com/fmc_nan/status/1635537014891372545
# Reference: https://www.virustotal.com/gui/file/8ac8eedfc8a155066915aed214dbf78c1f200124e5663b35f1935f31576fb71e/detection
# Reference: https://www.virustotal.com/gui/file/cd127b2f17e686c77898d0ed8b5325503fcbc9dbc4c9b63c7ae8722089db7564/detection

nideso.mywebcommunity.org

# Reference: https://twitter.com/StopMalvertisin/status/1635933718618734593
# Reference: https://www.virustotal.com/gui/file/451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f/detection

eum-it.co.kr/gnuboard4/bbs/img/upload/
/gnuboard4/bbs/img/upload/

# Reference: https://asec.ahnlab.com/en/49295/
# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-14-v10267/358
# Reference: https://otx.alienvault.com/pulse/64120cb4ea4bae2a4dbdf8d8

ria.monster
mp_eval_r.ria.monster
mpevalr.ria.monster
mpevlar.ria.monster
viewfile.ria.monster
/SmtInfo/show.php

# Reference: https://twitter.com/asdasd13asbz/status/1636173992695582720
# Reference: https://www.virustotal.com/gui/file/d0ec6d91cf9e7c64cf11accadf18f8b5a18a10efbecb28f797b3dbbf74ae846d/detection

http://172.93.193.158

# Reference: https://twitter.com/ShadowChasing1/status/1636391606592094208
# Reference: https://www.virustotal.com/gui/file/4e9d8f2d6bd17f71ed2a6c356deebc87801e413aad931b7ae1a70a8aa431d007/detection

breezyhost.net

# Reference: https://twitter.com/fmc_nan/status/1636667175913287680

delps.scienceontheweb.net/ital/info/list.php
delps.scienceontheweb.net/ital/info/sample.hwp

# Reference: https://asec.ahnlab.com/ko/50394/ (Korean)
# Reference: https://www.virustotal.com/gui/file/7a45a529b275cfaa6ebde88bf00413a11c0f701bf9e1e7e93ef27423fd17e3f5/detection

zetaros.000webhostapp.com

# Reference: https://twitter.com/BridewellCTI/status/1640376166858063874
# Reference: https://twitter.com/MichalKoczwara/status/1640393007382904851
# Reference: https://www.bridewell.com/insights/news/detail/bridewell-intelligence-report-kimsuky-apt-group---key-insights-for-uk-energy-cisos

aontechu.com
bsconvid.info
cdn-smtp.com
cereoni.org
cgui.eu
cmember.info
daumblog.eu
dmrxcloud.com
dreamhosregister.eu
edronium.com
gmember.eu
gmember.info
innovace.info
kakao-privacy.com
kakao-security.com
msn-imap.com
ncop.info
onkrdot.info
ontechvip.eu
publishhostmap.shop
umember.info
wordpress1s.xyz
_tls.publishhostmap.shop
accountc.gmember.eu
fqdn.nid.sslnaver.online
kr4.wordpress1s.xyz
logins.cdndaum.online
mail.cdndaum.online
nid.sslnaver.online
tls.publishhostmap.shop
web.publishhostmap.shop
web.sslnaver.online
webmail.dreamhosregister.eu

# Reference: https://twitter.com/ni_fi_70/status/1566770766389149696
# Reference: https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory.pdf
# Reference: https://otx.alienvault.com/pulse/641dd2ad4310d178a4c6766e

navernnail.com

# Reference: https://twitter.com/souiten/status/1645307251903840257
# Reference: https://www.virustotal.com/gui/file/0d663b9907a34604f120963b64a763c472e7e896857728199d3df912c93208a0/detection

messydoan.000webhostapp.com
mvix.xn--oi2b61z32a.xn--3e0b707e

# Reference: https://twitter.com/suyog41/status/1647956514005450752
# Reference: https://www.virustotal.com/gui/file/b92cb632535fd8b5c3863635b980611deae61420d76158fc6e7b307518302490/detection
# Reference: https://www.virustotal.com/gui/file/9fcd77ff9ec8a0b701316c3d45d4e6f7a0f012f5c2254a77628d233045839a7d/detection
# Reference: https://www.virustotal.com/gui/file/4f1081d688ba2477e097ebbbf0cce4048dbe9134da526949ae6e729f7b0494de/detection
# Reference: https://www.virustotal.com/gui/file/35cb65a70e8296aafd09b7550b13da2255bed9c30d6f284cce395e8e4532804c/detection

ibsq.co.kr/config/demo.txt
ibsq.co.kr/m.layouts/demo.txt
ibsq.co.kr/config
ibsq.co.kr/m.layouts

# Reference: https://twitter.com/malwrhunterteam/status/1648601223245725696
# Reference: https://www.virustotal.com/gui/file/6bab11d9561482777757f16c069ebef3f1cd6885dbef55306ffde30037a41d48/detection

xn--vn4b27hka971hbue.kr

# Reference: https://www.virustotal.com/gui/file/1ec4d60738a671f00089a86eeba6cb13750bce589e84fd177707718a4cc7d8f1/detection

partybbq.co.kr

# Reference: https://twitter.com/malwrhunterteam/status/1653682472163368960
# Reference: https://www.virustotal.com/gui/file/8cc66e4069a30885202b0328407ff167671133a1a539808c48f12928348744e0/detection

inspa.studioguy.com/bbs/data/bbs15/context.php
inspa.studioguy.com/bbs/data/bbs15/inquire.php
/bbs/data/bbs15/context.php
/bbs/data/bbs15/inquire.php

# Reference: https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

mitmail.tech
newshare.online
rfa.ink
yonsei.lol
/bio234567890rtyui/
/bio433ertgd12/

# Reference: https://twitter.com/h2jazi/status/1658133904618934272
# Reference: https://www.virustotal.com/gui/file/76b2f8df4578d65d5b6d57af8784584c1bcf86402d964b567db58e63723b636c/detection
# Reference: https://www.virustotal.com/gui/file/bbcfcc719190f0a2c687778d5d2fd5c6e345d64f44a01b26d33b7df20e099d6f/detection

com-port.space
file.com-port.space

# Reference: https://www.virustotal.com/gui/ip-address/61.195.126.150/relations

blog.de-file.online
cf-health.click
com-def.asia
com-otp.click
com-people.click
com-port.space
com-price.space
com-www.click
de-file.online
kr-angry.click
kr-me.click
mid.navers.blog.de-file.online
navers.blog.de-file.online
navers.com-otp.click
navers.com-price.space
navers.de-file.online
nld.navers.de-file.online
uid.navers.com-price.space
uld.navers.com-otp.click

# Reference: https://www.virustotal.com/gui/ip-address/157.7.184.26/relations

bid.cyberestate.de-bat.click
bld.cyberestate.de-bat.click
blog.mpevalr.com-def.asia
com-coffee.click
com-def.asia
com-port.space
cyberestate.de-bat.click
de-bat.click
de-two.website
k-ac.net
logins.nlfty.com-coffee.click
mpevalr.com-def.asia
navers.blog.mpevalr.com-def.asia
nld.navers.blog.mpevalr.com-def.asia
nlfty.com-coffee.click
point.com-def.asia
smart.com-coffee.click
smart.de-bat.click
sniperman.click
view.sniperman.click

# Reference: https://www.virustotal.com/gui/file/fd63e26bd09fd13d86d4505d9aa53c4bf599f9de954e7bccfa01179fd644d218/detection

trusteer.ink

# Reference: https://twitter.com/malwrhunterteam/status/1656946771053150208
# Reference: https://www.virustotal.com/gui/file/42f76f37742103bd599a68ef508b515efeb9e9ffddbfdcc43eb552b70b2440e9/detection
# Reference: https://www.virustotal.com/gui/file/cca4e9fc00647b644d334b2bab03d1a9acb23f7492c7c5aa2d283be78b87d67d/detection

jeannecampos.com/wp-includes/certificates/ca-bundle.php

# Reference: https://twitter.com/StopMalvertisin/status/1669259390237708291
# Reference: https://www.virustotal.com/gui/file/de2fd62fafe61f46ad967c84dd7fbca80d31ad4729fed051d527d9ba45857fd6/detection

sendlucky.scienceontheweb.net

# Reference: https://twitter.com/StopMalvertisin/status/1669379338691837953
# Reference: https://twitter.com/StopMalvertisin/status/1669379341820792832
# Reference: https://www.virustotal.com/gui/file/2763ddf592130cd80198fb60546dfb28de5f647df34522e4ab58a8bf5e63b769/detection
# Reference: https://www.virustotal.com/gui/file/0d19cf462bd2b5f84a7525575031de032db6df30925ef86ac1a9f4441ecce9f3/detection

greenspace1.com
html.gethompy.com
well-story.co.kr
/gnuboard4/bbs/pnger/
/gnuboard4/bbs/pnger/main.php
/gnuboard4/bbs/pnger/stdio.php

# Reference: https://asec.ahnlab.com/en/55145/

getara1.mygamesonline.org
pikaros2.r-e.kr

# Reference: https://twitter.com/0x0v1/status/1683434522413547521

bandi.tokyo
one.bandi.tokyo

# Reference: https://www.virustotal.com/gui/file/928e61590b2c4acf3991bd4327c5107c1cfd2604d992647c4e63bd1d620ff636/detection

partner24.kr/mokozy/hope/kk.php
/mokozy/hope/kk.php

# APK

/Kisa%20Vaccine.apk
/KisaAndroidSecurity.apk
