← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Kimsuky Phishing Operations
WHITE Kimsuky AlienVault 2020-09-29 Modified: 2020-10-29
90
IOCs
HIGH VOLUME
TC has identified the infrastructure most likely associated with a targeted phishing attack, as part of our research into North Korea’s Kimsuky group, which we suspect could be targeting targets for espionage purposes.
kimsukynorth koreaphishinghuman rightsvelvet choillima
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (90)
All domain FileHash-SHA256 URL hostname FileHash-MD5 FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
domain ssltop.work 2020-09-29
domain sslserver.work 2020-09-29
domain com-ssl.work 2020-09-29
domain rtyuio.work 2020-09-29
domain vpstop.work 2020-09-29
domain webmain.work 2020-09-29
domain idiolos.work 2020-09-29
domain default.tokyo 2020-09-29
domain account-viewer.work 2020-09-29
domain desk-top.work 2020-09-29
domain dorey.work 2020-09-29
domain com-vps.work 2020-09-29
domain dutaley.work 2020-09-29
domain kinac.work 2020-09-29
domain com-sslnet.work 2020-09-29
domain exiweng.work 2020-09-29
domain com-active.work 2020-09-29
domain com-option.work 2020-09-29
domain unrepong.work 2020-09-29
domain taplist.work 2020-09-29
domain verdall.xyz 2020-09-29
domain intemet.work 2020-09-29
FileHash-SHA256 6bb291c6d58f7b7e01e3717ea68f555db2620d98644d31914ea09bb10a61b35a SHA256 of 6a486084d9181d7e8ef00f60164b7aa6719eb146 2020-09-29
FileHash-SHA256 252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c SHA256 of a7461e60ae7297c20e1af5f83c42e34da2602b91 2020-09-29
FileHash-SHA256 090b4f8d93adc023970d1a312b5cd8c95190fdd8416c1dfd6bf915c6fcc1c346 SHA256 of 6519616b2ea5d2295241dc60b1aabc0766339364 2020-09-29
FileHash-SHA256 7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec5672ee282dc0 SHA256 of 3e621ef83f474ee62a840f10d4a3f5877d9ee09e 2020-09-29
URL http://drive.cloud.com-download.work/auth/No 2020-09-29
URL http://onedrive.sslport.work/share/file/interview%20with%20a%20north%20korean%20defector.doc 2020-09-29
URL http://marryyouinme.sslport.work/AnHIMxJcle8ehBlB9W-zj0O7vXUy/jYM9372/5%EC%9B%94%20%EC%9B%90%EA%B3%A0%20%ED%95%9C%EA%B8%80%ED%8C%90%20%EC%B5%9C%EC%A2%85%EB%B3%B8-2020.5.18.docx 2020-09-29
URL http://wave.posadadesantiago.com/home/dwn.php?van=101 2020-09-29
URL http://spmode.smt.docomo.ne.jp-ssl.work/mail_setting/index.php?q=https%3A%2F%2Fcfg.smt.docomo.ne.jp%2Fauthx%2Fcgi%2Fbaseauth%3Fsi%3D0002%26rl%3Dhttps%253A%252F%252Fmail%252Esmt%252Edocomo%252Ene%252Ejp%252Fmail%252F%253Fcmd%253Dlogin 2020-09-29
URL http://mail.org-vip.work/mail/index.php 2020-09-29
URL http://drive.cloud.com-download.work/a/wrar550.exe 2020-09-29
hostname active.onedrive.tlsmain.work 2020-09-29
hostname doc-view.account-protect.work 2020-09-29
hostname onedrive.sslport.work 2020-09-29
hostname login.yahoo.com-service.org-view.work 2020-09-29
hostname intranet.ohchr.account-protect.work 2020-09-29
hostname logins.daum.net-sec.pw 2020-09-29
hostname login.aei.org-view.work 2020-09-29
hostname login.yahoo.co.jp.org-view.work 2020-09-29
hostname login.yahoo.co.jp-sec.pw 2020-09-29
hostname check-onedrive.org-vps.work 2020-09-29
hostname www.group.email.tlsmain.work 2020-09-29
hostname registry.ohchr.tlsmain.work 2020-09-29
hostname login-yahoo.org-view.work 2020-09-29
hostname spmode.smt.docomo.ne.jp-ssl.work 2020-09-29
hostname myaccount.account-protect.work 2020-09-29
hostname check-onedrive.robezo.work 2020-09-29
hostname mail.rfanews.sslport.work 2020-09-29
hostname 1drv.ms.doc-view.pw 2020-09-29
hostname groups.email.account-protect.work 2020-09-29
hostname mail.doc-view.pw 2020-09-29
hostname spmode.smt.docomo.account-protect.work 2020-09-29
hostname login.microsoftonline.org-view.work 2020-09-29
hostname desk.poulsen.work 2020-09-29
hostname ohchr.org-view.work 2020-09-29
hostname intranet.ohchr.tlsmain.work 2020-09-29
hostname www.registry.ohchr.tlsmain.work 2020-09-29
hostname intranet.ohchr.org-view.work 2020-09-29
hostname preview.manage.org-view.work 2020-09-29
hostname login.account-protect.work 2020-09-29
hostname account.live.poulsen.work 2020-09-29
hostname intranet.ohchr.org-view.pw 2020-09-29
hostname www.active.onedrive.tlsmain.work 2020-09-29
hostname owa.com-download.work 2020-09-29
hostname delegate.un.account-protect.work 2020-09-29
hostname login.un.org-view.work 2020-09-29
hostname amaniafrica-et.org-view.work 2020-09-29
hostname webmail.org-view.work 2020-09-29
hostname click.onedrive.account-protect.work 2020-09-29
hostname www.intranet.ohchr.tlsmain.work 2020-09-29
hostname offerhubs.org-view.work 2020-09-29
hostname login.yahoo.account-protect.work 2020-09-29
hostname account.live.account-protect.work 2020-09-29
hostname 1drv.ms.account-protect.work 2020-09-29
hostname naohisashibuya.sslport.work 2020-09-29
hostname mail.org-vip.work 2020-09-29
hostname drive.cloud.com-download.work 2020-09-29
hostname marryyouinme.sslport.work 2020-09-29
hostname login.gordonchang.org-view.work 2020-09-29
hostname spurgentaction.in.ohchr.org-view.work 2020-09-29
FileHash-MD5 9f5edb6d8a230c06512464fe84db0056 MD5 of a7461e60ae7297c20e1af5f83c42e34da2602b91 2020-09-29
FileHash-MD5 e890504a4903cf8e8731bbda32b41843 MD5 of 3e621ef83f474ee62a840f10d4a3f5877d9ee09e 2020-09-29
FileHash-MD5 99c0c8c8fdc87fd91aaad82062f62a9c MD5 of 6519616b2ea5d2295241dc60b1aabc0766339364 2020-09-29
FileHash-MD5 47a7fc69d364a66e6f6a50bcf93ed62d MD5 of 6a486084d9181d7e8ef00f60164b7aa6719eb146 2020-09-29
FileHash-SHA1 6a486084d9181d7e8ef00f60164b7aa6719eb146 2020-09-29
FileHash-SHA1 6519616b2ea5d2295241dc60b1aabc0766339364 2020-09-29
FileHash-SHA1 a7461e60ae7297c20e1af5f83c42e34da2602b91 2020-09-29
FileHash-SHA1 3e621ef83f474ee62a840f10d4a3f5877d9ee09e 2020-09-29
References (1)
↗ ThreatConnect-Kimsuky-Phishing-Operations-Putting-In-Work-IoC.csv