850 Hostnames, 6 Servers, 1 Kill Chain: Mapping Kimsuky's 2026 Korean Credential Harvesting Machine
Contents
850 Hostnames, 6 Servers, 1 Kill Chain: Mapping Kimsuky's 2026 Korean Credential Harvesting Machine
DPRK's most prolific phishing operation targets Naver, NTS, NHIS, and NongHyup Bank across 49 domains and 30+ dynamic DNS providers — with a fully dumped phishing kit
When @skocherhan dropped a handful of dynv6[.]net subdomains on Twitter on April 12, 2026, the indicators looked like standard-issue Kimsuky credential phishing — sequential naming, Korean-targeting themes, geofenced delivery. We ran the first node through passive DNS and found 740 hostnames. Then a second tip came in. Then a third. Then @smica83 surfaced a CHM dropper campaign with an exposed C2 directory listing, and the "Million OK !!!!" server fingerprint confirmed what we suspected: all six nodes belonged to a single Kimsuky operational cell running one of the most extensive Korean credential harvesting campaigns we have documented.
What started as a routine phishing cluster investigation turned into a consolidated six-node campaign map …
DPRK's most prolific phishing operation targets Naver, NTS, NHIS, and NongHyup Bank across 49 domains and 30+ dynamic DNS providers — with a fully dumped phishing kit
When @skocherhan dropped a handful of dynv6[.]net subdomains on Twitter on April 12, 2026, the indicators looked like standard-issue Kimsuky credential phishing — sequential naming, Korean-targeting themes, geofenced delivery. We ran the first node through passive DNS and found 740 hostnames. Then a second tip came in. Then a third. Then @smica83 surfaced a CHM dropper campaign with an exposed C2 directory listing, and the "Million OK !!!!" server fingerprint confirmed what we suspected: all six nodes belonged to a single Kimsuky operational cell running one of the most extensive Korean credential harvesting campaigns we have documented.
What started as a routine phishing cluster investigation turned into a consolidated six-node campaign map …
IoC
http://bk.ru
http://118.194.248.148
https://www.nts.go.kr
http://152.32.243.184
http://elinkddc.mail.ntsfirm.site
http://27.102.137.38
http://141.164.61.168
http://27.102.138.45
http://Zohomail/Inbox.lv
http://38.60.220.64
http://ntsfirm.site
http://nhis-kr.xyz
http://nid-navercwu.servecounterstrike.com
http://belluster.com
http://one1232.com
http://220.230.168.*
http://gleeze.com
http://1cooldns.com
http://104.222.43.*
http://ntplnkNs.dynv6.net
http://rootive.kr
http://check.nid-log.com
http://dispatchtrack.ntsfirm.site
http://cafe.naver.one1232.com
http://211.249.40.*
http://165.154.52.0/23
http://165.154.52.8
http://158.247.215.121
http://nhispost.xyz
http://ndocavverify.dynv6.net
http://ndocazverify.dynv6.net
http://nid-log.com
http://dynuddns.com
http://101.36.114.168
http://211.249.68.*
http://tax-invoice.dns.army
http://152.32.138.63
http://38.60.220.102
http://nxczins.site
http://list.ru
http://158.247.239.225
http://nid-naverpep.servequake.com
http://miss-tax.dns.navy
http://blogrighofNid.dynv6.net
http://152.32.139.149
http://38.54.40.154
http://nid-htl.duckdns.org
http://udalyonka.com
http://api.rootive.kr
http://log.kakao.com-nts.dns.army
http://51.79.185.184
http://118.193.68.242
http://LIVE158.247.250.37
http://nhisposting.xyz
http://inbox.ru
http://chpostingNs.dynv6.net
http://158.247.202.109
http://homestax.info
http://C2130.94.29.111
http://LIVE150.241.80.3
http://smtp.mail.ru:465
http://nid-navertca.servehalflife.com
http://118.193.69.248
http://nid.ncodbvverify.dynv6.net
http://server38.60.220.102
http://noreplymail.space
http://69.197.148.159
http://118.193.68.146
http://exfiltration162.255.119.150
http://track.ntsfirm.site
http://38.54.40.51
http://reportmlNid.dynv6.net
http://Mail.ru
http://nhisnews.xyz
http://check.nid-log.com/api/bootservice.php
http://naver.com
http://118.194.249.109
http://3152.32.139.149
http://nhispost.site
http://core.ntsfirm.site
https://intel.breakglass.tech
http://dynv6.net
http://requestmblNs.dynv6.net
http://35.243.23.*
http://kakao.com-nts.dns.army
http://123.58.200.50
http://158.247.204.137
http://backendapi.rootive.kr
http://158.247.192.226
http://27.102.137.150
http://118.193.68.25
http://123.58.200.13
http://ndocadverify.dynv6.net
http://gmail.com
http://152.32.243.153
http://152.32.138.225
http://152.32.138.191
http://158.247.197.123
http://165.154.53.255
http://freeddns.org
http://ninlineidNs.dynv6.net
http://chk.uncork.biz/nportal/?wreply=ain8494@naver[.]com&m=qhfsmnav&nhn=1
http://152.32.138.0/23
http://wnsoidos.site
http://ndocawverify.dynv6.net
http://mem-authcenterNs.dynv6.net
http://verify.efine-log.kro.kr
http://zohomail.com
http://101.36.114.153
http://nhisposting.click
http://nid.ndocazverify.dynv6.net
http://nid-log.com27.102.137.150
http://158.247.250.37
http://Inbox.lv
http://165.154.52.0
http://150.241.80.3
http://38.54.40.15
http://152.32.138.158
http://ncodbvverify.dynv6.net
http://DOM.RF
http://1.225.35.*
http://dynuddns.net
http://175.115.14.22
http://check.nid-log.com/api/checkservice.php
http://chk.uncork.biz
http://mydns.bz
http://uncork.biz
http://nhisnews.online
http://nid-tax.dns.army
http://nhispost.online
http://nid.naver.com
http://38.54.0.0/17
http://internet.ru
http://rambler.ru
http://giize.com
http://mail.inbox.lv:465
http://158.247.227.83
http://ndocayverify.dynv6.net
http://profilingcore.ntsfirm.site
http://238.54.40.154
http://158.247.242.206
http://noreplymail.space/BitJoker/bootservice.php
http://38.60.220.135
http://158.247.230.196
http://nid-naverfxc.servecounterstrike.com
http://mail.ru
http://check.nid-log.com/api/bootservice.php?tag=719&query=1
https://section.blog.naver.com/ThisMonthDirectory.naver
http://dedyn.io
http://ncodbsverify.dynv6.net
http://130.94.29.111
http://auth-umblogNs.dynv6.net
http://kro.kr
http://verify.dynv6/
http://dns.army
http://158.247.240.40
http://pay-tax.dns.navy
http://check.nid-log.com/api/finalservice.php
http://162.255.119.150
http://38.60.128.0/17
http://158.247.219.150
118.194.248.148
158.247.219.150
158.247.242.206
38.60.220.64
152.32.138.191
165.154.53.255
165.154.52.8
27.102.138.45
38.54.0.0
158.247.239.225
152.32.138.0
152.32.138.158
38.54.40.15
158.247.230.196
158.247.197.123
130.94.29.111
152.32.243.153
152.32.243.184
158.247.215.121
101.36.114.153
38.60.220.135
27.102.137.38
38.60.220.102
158.247.204.137
123.58.200.13
152.32.138.225
118.193.68.25
38.54.40.154
158.247.240.40
152.32.138.63
141.164.61.168
158.247.192.226
101.36.114.168
38.60.128.0
152.32.139.149
69.197.148.159
158.247.250.37
123.58.200.50
118.193.69.248
150.241.80.3
165.154.52.0
118.193.68.242
162.255.119.150
51.79.185.184
38.54.40.51
118.194.249.109
158.247.227.83
175.115.14.22
158.247.202.109
118.193.68.146
27.102.137.150
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
419762fb355c722f749b689eae7c31084b82e7b8ea968bd970e423cbf56f89b5
ac33ba08410f39cf13c9a08a01582bce
1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793
6f90f6b96fe3a5b79c1935211f557a08
6aa51c23f0319a6b940072274adf47a0c29f27b6
6d03fd0b89fe997408b9e9e3d5ead602
d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b
85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8
66af61e3e376284f691d449d0042e8b2c1174278
af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f
a76af8176da28fdab47f9a77d50eb0e89f2b8557
7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b
a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922
7a3a72197574dcc653332f47bf4fb58606ecbc41deef33251ec5f4ec680be1d2
f759ccb6886234c63a66abd6102c636a46d1eba8
4599ac1bbe483c73064df1353feafd01
8d009fbbf5f634e1f715385fde3da14e54cce967eea18d1de5c5df08f9a8094d
86d278bf55d25df08ce3b1c46513c6e38da84bf143a059bdbb53c91c564ae211
261cfc8ccda28c89b225e442e094e572d5abe5ef2ef26d2269f8cfc0ece23b06
51ab17a51cc000bbae89980082c57281c4c0b462
fbb36c3173a4b467fcc7fea566b3ddf7e72af8d5e45a8fd505ec21e61d160df9
0ac44ad9cfbc58ed76415f7bc79239f9
08815400eb034d0c760d031e735bd392
rule Kimsuky_Phishing_Kit_Glype_PHProxy {
meta:
author = "Breakglass Intelligence"
description = "Detects Kimsuky modified Glype/PHProxy phishing kit components"
date = "2026-04-17"
reference = "https://intel.breakglass.tech"
hash = "fbb36c3173a4b467fcc7fea566b3ddf7e72af8d5e45a8fd505ec21e61d160df9"
tlp = "CLEAR"
strings:
$glype1 = "PHProxy" ascii
$glype2 = "Glype" ascii
$glype3 = "0.5b2" ascii
$nsec1 = "Security Guard Code" ascii
$nsec2 = "nsec.php" ascii
$nsec3 = "Access Denied" ascii
$naver1 = "naver.com" ascii
$naver2 = "NID_JST" ascii
$naver3 = "nid.naver" ascii
$recon1 = "COMPUTERNAME" ascii
$recon2 = "NUMBER_OF_PROCESSORS" ascii
$recon3 = "confirm.php" ascii
$telegram = "api.telegram.org" ascii
$korea1 = /nhis[a-z]*\.(xyz|click|online|site)/ ascii
$korea2 = "hometax" ascii nocase
$korea3 = /nts[a-z]*\.(site|com)/ ascii
condition:
filesize < 5MB and (
(2 of ($glype*) and any of ($naver*)) or
(any of ($nsec*) and any of ($naver*) and any of ($recon*)) or
($telegram and any of ($naver*) and any of ($recon*)) or
(2 of ($korea*) and any of ($nsec*))
)
}
rule Kimsuky_Blog_Harvest_DDNS_Config {
meta:
author = "Breakglass Intelligence"
description = "Detects Kimsuky DDNS configuration patterns for blog/auth phishing"
date = "2026-04-17"
reference = "https://intel.breakglass.tech"
tlp = "CLEAR"
strings:
$ddns1 = "dynv6.net" ascii
$ddns2 = "mydns.bz" ascii
$ddns3 = "dynuddns.com" ascii
$ddns4 = "gleeze.com" ascii
$ddns5 = "freeddns.org" ascii
$pattern1 = /auth-umblog\d+s/ ascii
$pattern2 = /chposting\d+s/ ascii
$pattern3 = /blogrighof\d+id/ ascii
$pattern4 = /mem-authcenter\d+s/ ascii
$pattern5 = /n[a-z]*verify\.dynv6/ ascii
condition:
filesize < 1MB and (
(2 of ($ddns*) and any of ($pattern*)) or
(3 of ($pattern*))
)
}
rule Kimsuky_NHIS_Phishing_Page {
meta:
author = "Breakglass Intelligence"
description = "Detects Kimsuky NHIS/NTS/NPS phishing page content"
date = "2026-04-17"
reference = "https://intel.breakglass.tech"
tlp = "CLEAR"
strings:
$nhis1 = { EA B5 AD EB AF BC EA B1 B4 EA B0 95 EB B3 B4 ED 97 98 EA B3 B5 EB 8B A8 }
$nts1 = { EA B5 AD EC 84 B8 EC B2 AD }
$nps1 = { EA B5 AD EB AF BC EC 97 B0 EA B8 88 EA B3 B5 EB 8B A8 }
$login1 = "naver.com" ascii
$login2 = "NID_JST" ascii
$login3 = "wreply=" ascii
$suspicious1 = "recon.htm" ascii
$suspicious2 = "nsec.php" ascii
condition:
filesize < 500KB and (
(any of ($nhis*, $nts*, $nps*) and any of ($login*)) or
(any of ($login*) and any of ($suspicious*))
)
}
rule Kimsuky_CHM_Dropper_Node5 {
meta:
author = "Breakglass Intelligence"
description = "Detects Kimsuky CHM dropper campaign components (Node 5 - nid-log.com)"
date = "2026-04-17"
reference = "https://intel.breakglass.tech"
tlp = "CLEAR"
source = "@smica83"
strings:
$chm1 = "Condor_API" ascii wide
$chm2 = "api_reference" ascii wide
$chm3 = ".chm" ascii
$c2_1 = "nid-log.com" ascii
$c2_2 = "bootservice.php" ascii
$c2_3 = "checkservice.php" ascii
$c2_4 = "finalservice.php" ascii
$c2_5 = "noreplymail.space" ascii
$stage1 = "certutil" ascii nocase
$stage2 = "Office_Config.xml" ascii
$stage3 = "OfficeUpdater_" ascii
$stage4 = "Links\\Link.ini" ascii
$fingerprint = "Million OK" ascii
condition:
filesize < 2MB and (
(any of ($chm*) and any of ($c2*)) or
(2 of ($c2*)) or
(any of ($c2*) and any of ($stage*)) or
($fingerprint and any of ($c2*))
)
}
http://118.194.248.148
https://www.nts.go.kr
http://152.32.243.184
http://elinkddc.mail.ntsfirm.site
http://27.102.137.38
http://141.164.61.168
http://27.102.138.45
http://Zohomail/Inbox.lv
http://38.60.220.64
http://ntsfirm.site
http://nhis-kr.xyz
http://nid-navercwu.servecounterstrike.com
http://belluster.com
http://one1232.com
http://220.230.168.*
http://gleeze.com
http://1cooldns.com
http://104.222.43.*
http://ntplnkNs.dynv6.net
http://rootive.kr
http://check.nid-log.com
http://dispatchtrack.ntsfirm.site
http://cafe.naver.one1232.com
http://211.249.40.*
http://165.154.52.0/23
http://165.154.52.8
http://158.247.215.121
http://nhispost.xyz
http://ndocavverify.dynv6.net
http://ndocazverify.dynv6.net
http://nid-log.com
http://dynuddns.com
http://101.36.114.168
http://211.249.68.*
http://tax-invoice.dns.army
http://152.32.138.63
http://38.60.220.102
http://nxczins.site
http://list.ru
http://158.247.239.225
http://nid-naverpep.servequake.com
http://miss-tax.dns.navy
http://blogrighofNid.dynv6.net
http://152.32.139.149
http://38.54.40.154
http://nid-htl.duckdns.org
http://udalyonka.com
http://api.rootive.kr
http://log.kakao.com-nts.dns.army
http://51.79.185.184
http://118.193.68.242
http://LIVE158.247.250.37
http://nhisposting.xyz
http://inbox.ru
http://chpostingNs.dynv6.net
http://158.247.202.109
http://homestax.info
http://C2130.94.29.111
http://LIVE150.241.80.3
http://smtp.mail.ru:465
http://nid-navertca.servehalflife.com
http://118.193.69.248
http://nid.ncodbvverify.dynv6.net
http://server38.60.220.102
http://noreplymail.space
http://69.197.148.159
http://118.193.68.146
http://exfiltration162.255.119.150
http://track.ntsfirm.site
http://38.54.40.51
http://reportmlNid.dynv6.net
http://Mail.ru
http://nhisnews.xyz
http://check.nid-log.com/api/bootservice.php
http://naver.com
http://118.194.249.109
http://3152.32.139.149
http://nhispost.site
http://core.ntsfirm.site
https://intel.breakglass.tech
http://dynv6.net
http://requestmblNs.dynv6.net
http://35.243.23.*
http://kakao.com-nts.dns.army
http://123.58.200.50
http://158.247.204.137
http://backendapi.rootive.kr
http://158.247.192.226
http://27.102.137.150
http://118.193.68.25
http://123.58.200.13
http://ndocadverify.dynv6.net
http://gmail.com
http://152.32.243.153
http://152.32.138.225
http://152.32.138.191
http://158.247.197.123
http://165.154.53.255
http://freeddns.org
http://ninlineidNs.dynv6.net
http://chk.uncork.biz/nportal/?wreply=ain8494@naver[.]com&m=qhfsmnav&nhn=1
http://152.32.138.0/23
http://wnsoidos.site
http://ndocawverify.dynv6.net
http://mem-authcenterNs.dynv6.net
http://verify.efine-log.kro.kr
http://zohomail.com
http://101.36.114.153
http://nhisposting.click
http://nid.ndocazverify.dynv6.net
http://nid-log.com27.102.137.150
http://158.247.250.37
http://Inbox.lv
http://165.154.52.0
http://150.241.80.3
http://38.54.40.15
http://152.32.138.158
http://ncodbvverify.dynv6.net
http://DOM.RF
http://1.225.35.*
http://dynuddns.net
http://175.115.14.22
http://check.nid-log.com/api/checkservice.php
http://chk.uncork.biz
http://mydns.bz
http://uncork.biz
http://nhisnews.online
http://nid-tax.dns.army
http://nhispost.online
http://nid.naver.com
http://38.54.0.0/17
http://internet.ru
http://rambler.ru
http://giize.com
http://mail.inbox.lv:465
http://158.247.227.83
http://ndocayverify.dynv6.net
http://profilingcore.ntsfirm.site
http://238.54.40.154
http://158.247.242.206
http://noreplymail.space/BitJoker/bootservice.php
http://38.60.220.135
http://158.247.230.196
http://nid-naverfxc.servecounterstrike.com
http://mail.ru
http://check.nid-log.com/api/bootservice.php?tag=719&query=1
https://section.blog.naver.com/ThisMonthDirectory.naver
http://dedyn.io
http://ncodbsverify.dynv6.net
http://130.94.29.111
http://auth-umblogNs.dynv6.net
http://kro.kr
http://verify.dynv6/
http://dns.army
http://158.247.240.40
http://pay-tax.dns.navy
http://check.nid-log.com/api/finalservice.php
http://162.255.119.150
http://38.60.128.0/17
http://158.247.219.150
118.194.248.148
158.247.219.150
158.247.242.206
38.60.220.64
152.32.138.191
165.154.53.255
165.154.52.8
27.102.138.45
38.54.0.0
158.247.239.225
152.32.138.0
152.32.138.158
38.54.40.15
158.247.230.196
158.247.197.123
130.94.29.111
152.32.243.153
152.32.243.184
158.247.215.121
101.36.114.153
38.60.220.135
27.102.137.38
38.60.220.102
158.247.204.137
123.58.200.13
152.32.138.225
118.193.68.25
38.54.40.154
158.247.240.40
152.32.138.63
141.164.61.168
158.247.192.226
101.36.114.168
38.60.128.0
152.32.139.149
69.197.148.159
158.247.250.37
123.58.200.50
118.193.69.248
150.241.80.3
165.154.52.0
118.193.68.242
162.255.119.150
51.79.185.184
38.54.40.51
118.194.249.109
158.247.227.83
175.115.14.22
158.247.202.109
118.193.68.146
27.102.137.150
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
419762fb355c722f749b689eae7c31084b82e7b8ea968bd970e423cbf56f89b5
ac33ba08410f39cf13c9a08a01582bce
1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793
6f90f6b96fe3a5b79c1935211f557a08
6aa51c23f0319a6b940072274adf47a0c29f27b6
6d03fd0b89fe997408b9e9e3d5ead602
d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b
85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8
66af61e3e376284f691d449d0042e8b2c1174278
af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f
a76af8176da28fdab47f9a77d50eb0e89f2b8557
7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b
a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922
7a3a72197574dcc653332f47bf4fb58606ecbc41deef33251ec5f4ec680be1d2
f759ccb6886234c63a66abd6102c636a46d1eba8
4599ac1bbe483c73064df1353feafd01
8d009fbbf5f634e1f715385fde3da14e54cce967eea18d1de5c5df08f9a8094d
86d278bf55d25df08ce3b1c46513c6e38da84bf143a059bdbb53c91c564ae211
261cfc8ccda28c89b225e442e094e572d5abe5ef2ef26d2269f8cfc0ece23b06
51ab17a51cc000bbae89980082c57281c4c0b462
fbb36c3173a4b467fcc7fea566b3ddf7e72af8d5e45a8fd505ec21e61d160df9
0ac44ad9cfbc58ed76415f7bc79239f9
08815400eb034d0c760d031e735bd392
rule Kimsuky_Phishing_Kit_Glype_PHProxy {
meta:
author = "Breakglass Intelligence"
description = "Detects Kimsuky modified Glype/PHProxy phishing kit components"
date = "2026-04-17"
reference = "https://intel.breakglass.tech"
hash = "fbb36c3173a4b467fcc7fea566b3ddf7e72af8d5e45a8fd505ec21e61d160df9"
tlp = "CLEAR"
strings:
$glype1 = "PHProxy" ascii
$glype2 = "Glype" ascii
$glype3 = "0.5b2" ascii
$nsec1 = "Security Guard Code" ascii
$nsec2 = "nsec.php" ascii
$nsec3 = "Access Denied" ascii
$naver1 = "naver.com" ascii
$naver2 = "NID_JST" ascii
$naver3 = "nid.naver" ascii
$recon1 = "COMPUTERNAME" ascii
$recon2 = "NUMBER_OF_PROCESSORS" ascii
$recon3 = "confirm.php" ascii
$telegram = "api.telegram.org" ascii
$korea1 = /nhis[a-z]*\.(xyz|click|online|site)/ ascii
$korea2 = "hometax" ascii nocase
$korea3 = /nts[a-z]*\.(site|com)/ ascii
condition:
filesize < 5MB and (
(2 of ($glype*) and any of ($naver*)) or
(any of ($nsec*) and any of ($naver*) and any of ($recon*)) or
($telegram and any of ($naver*) and any of ($recon*)) or
(2 of ($korea*) and any of ($nsec*))
)
}
rule Kimsuky_Blog_Harvest_DDNS_Config {
meta:
author = "Breakglass Intelligence"
description = "Detects Kimsuky DDNS configuration patterns for blog/auth phishing"
date = "2026-04-17"
reference = "https://intel.breakglass.tech"
tlp = "CLEAR"
strings:
$ddns1 = "dynv6.net" ascii
$ddns2 = "mydns.bz" ascii
$ddns3 = "dynuddns.com" ascii
$ddns4 = "gleeze.com" ascii
$ddns5 = "freeddns.org" ascii
$pattern1 = /auth-umblog\d+s/ ascii
$pattern2 = /chposting\d+s/ ascii
$pattern3 = /blogrighof\d+id/ ascii
$pattern4 = /mem-authcenter\d+s/ ascii
$pattern5 = /n[a-z]*verify\.dynv6/ ascii
condition:
filesize < 1MB and (
(2 of ($ddns*) and any of ($pattern*)) or
(3 of ($pattern*))
)
}
rule Kimsuky_NHIS_Phishing_Page {
meta:
author = "Breakglass Intelligence"
description = "Detects Kimsuky NHIS/NTS/NPS phishing page content"
date = "2026-04-17"
reference = "https://intel.breakglass.tech"
tlp = "CLEAR"
strings:
$nhis1 = { EA B5 AD EB AF BC EA B1 B4 EA B0 95 EB B3 B4 ED 97 98 EA B3 B5 EB 8B A8 }
$nts1 = { EA B5 AD EC 84 B8 EC B2 AD }
$nps1 = { EA B5 AD EB AF BC EC 97 B0 EA B8 88 EA B3 B5 EB 8B A8 }
$login1 = "naver.com" ascii
$login2 = "NID_JST" ascii
$login3 = "wreply=" ascii
$suspicious1 = "recon.htm" ascii
$suspicious2 = "nsec.php" ascii
condition:
filesize < 500KB and (
(any of ($nhis*, $nts*, $nps*) and any of ($login*)) or
(any of ($login*) and any of ($suspicious*))
)
}
rule Kimsuky_CHM_Dropper_Node5 {
meta:
author = "Breakglass Intelligence"
description = "Detects Kimsuky CHM dropper campaign components (Node 5 - nid-log.com)"
date = "2026-04-17"
reference = "https://intel.breakglass.tech"
tlp = "CLEAR"
source = "@smica83"
strings:
$chm1 = "Condor_API" ascii wide
$chm2 = "api_reference" ascii wide
$chm3 = ".chm" ascii
$c2_1 = "nid-log.com" ascii
$c2_2 = "bootservice.php" ascii
$c2_3 = "checkservice.php" ascii
$c2_4 = "finalservice.php" ascii
$c2_5 = "noreplymail.space" ascii
$stage1 = "certutil" ascii nocase
$stage2 = "Office_Config.xml" ascii
$stage3 = "OfficeUpdater_" ascii
$stage4 = "Links\\Link.ini" ascii
$fingerprint = "Million OK" ascii
condition:
filesize < 2MB and (
(any of ($chm*) and any of ($c2*)) or
(2 of ($c2*)) or
(any of ($c2*) and any of ($stage*)) or
($fingerprint and any of ($c2*))
)
}