A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail
Contents
A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail
31 domains still actively resolve. The actor rotates through 7 DDNS providers to evade blocklisting while maintaining the same backend VPS for over 5 years.
Published: April 20, 2026 Author: Breakglass Intelligence Tags: Kimsuky, APT43, DPRK, Credential Harvesting, Naver, Korean NTS, DDNS, Vultr Seoul
This is our sixth Kimsuky infrastructure post. Over the past several weeks, we have documented a pattern of Vultr Seoul VPS abuse by actors consistent with the Kimsuky cluster — from the 740-hostname phishing factory on 158.247.219.150, to the CHM/NidLog C2 payload recovery, to the Telegram bot and IPFS harvester cell, to the Udalyonka htdocs dump on 158.247.250.37.
Today we document a third Vultr Seoul VPS — 158.247.210.58 — with over 60 domains observed in passive DNS across 18 months, systematic impersonation of Naver, the Korean National Tax Service (NTS/HomeTax), and Korean …
31 domains still actively resolve. The actor rotates through 7 DDNS providers to evade blocklisting while maintaining the same backend VPS for over 5 years.
Published: April 20, 2026 Author: Breakglass Intelligence Tags: Kimsuky, APT43, DPRK, Credential Harvesting, Naver, Korean NTS, DDNS, Vultr Seoul
This is our sixth Kimsuky infrastructure post. Over the past several weeks, we have documented a pattern of Vultr Seoul VPS abuse by actors consistent with the Kimsuky cluster — from the 740-hostname phishing factory on 158.247.219.150, to the CHM/NidLog C2 payload recovery, to the Telegram bot and IPFS harvester cell, to the Udalyonka htdocs dump on 158.247.250.37.
Today we document a third Vultr Seoul VPS — 158.247.210.58 — with over 60 domains observed in passive DNS across 18 months, systematic impersonation of Naver, the Korean National Tax Service (NTS/HomeTax), and Korean …
IoC
http://tax-login.mydns.vc
http://dns.navy
http://n-login.mydns.jp
http://nid-tax.mydns.jp
http://mydns.bz
http://htax-login.mydns.vc
http://n-auth.nts-login.dns.navy
http://nid-auth.n-cloud.dns.navy
http://mydns.jp
http://mdlog.mydns.vc
http://n-cloud.mydns.bz
http://nid-nts.n-store.kro.kr
http://n-cloud.htax-store.dns.navy
http://nid-login.mydns.vc
http://nts-login.mydns.vc
http://n-corp.htax-auth.dns.navy
http://n-user.htax-auth.kro.kr
http://htax-store.dynv6.net
http://nid-user.nts-auth.dns.army
http://n-auth.mydns.bz
http://nid-gov.tax-store.kro.kr
http://n-store.mydns.vc
http://mydns.vc
http://nid-store.govkr.dns.army
http://n-store.nts-user.kro.kr
http://nts-nid.dynv6.net
http://tax-login.n-corp.kro.kr
http://n-user.dynv6.net
http://ntdersg.mydns.jp
http://htax-auth.mydns.jp
http://nid-login.nts-gov.dns.army
http://htax-login.n-cloud.kro.kr
http://n-store.tax-nid.dns.navy
http://htax-login.nts-kr.dns.army
http://nuser-login.mydns.bz
http://nts-auth.mydns.vc
http://htax-nid.n-user.dns.navy
http://htax-user.govkr.kro.kr
http://govkr-tax.nid-auth.kro.kr
http://nts-login.n-auth.kro.kr
http://tax-nid.mydns.bz
http://158.247.250.37
http://n-store.nskrm.dynv6.net
http://n-user.ips-gov.dns.army
http://nts-user.mydns.jp
http://govkr-nid.tax-auth.dns.army
http://nid-user.mydns.bz
http://nid-store.mydns.bz
http://johnnytogdstudio.xyz
http://ips-govkr.mydns.bz
http://158.247.210.58
http://n-cloud.nid-tax.kro.kr
http://kro.kr
http://n-corp.mydns.bz
http://dns.army
http://nversg.mydns.jp
http://govkr-login.dynv6.net
http://tax-user.nid-gov.dns.army
http://nts-nid.n-login.kro.kr
http://govkr-auth.mydns.bz
http://htax-nid.mydns.vc
http://nts-store.n-login.dns.navy
http://n-login.htax-nid.dns.navy
http://nuser-login.govkr.dns.army
http://n-store.dynv6.net
http://dynv6.net
http://158.247.219.150
158.247.219.150
158.247.210.58
158.247.250.37
http://dns.navy
http://n-login.mydns.jp
http://nid-tax.mydns.jp
http://mydns.bz
http://htax-login.mydns.vc
http://n-auth.nts-login.dns.navy
http://nid-auth.n-cloud.dns.navy
http://mydns.jp
http://mdlog.mydns.vc
http://n-cloud.mydns.bz
http://nid-nts.n-store.kro.kr
http://n-cloud.htax-store.dns.navy
http://nid-login.mydns.vc
http://nts-login.mydns.vc
http://n-corp.htax-auth.dns.navy
http://n-user.htax-auth.kro.kr
http://htax-store.dynv6.net
http://nid-user.nts-auth.dns.army
http://n-auth.mydns.bz
http://nid-gov.tax-store.kro.kr
http://n-store.mydns.vc
http://mydns.vc
http://nid-store.govkr.dns.army
http://n-store.nts-user.kro.kr
http://nts-nid.dynv6.net
http://tax-login.n-corp.kro.kr
http://n-user.dynv6.net
http://ntdersg.mydns.jp
http://htax-auth.mydns.jp
http://nid-login.nts-gov.dns.army
http://htax-login.n-cloud.kro.kr
http://n-store.tax-nid.dns.navy
http://htax-login.nts-kr.dns.army
http://nuser-login.mydns.bz
http://nts-auth.mydns.vc
http://htax-nid.n-user.dns.navy
http://htax-user.govkr.kro.kr
http://govkr-tax.nid-auth.kro.kr
http://nts-login.n-auth.kro.kr
http://tax-nid.mydns.bz
http://158.247.250.37
http://n-store.nskrm.dynv6.net
http://n-user.ips-gov.dns.army
http://nts-user.mydns.jp
http://govkr-nid.tax-auth.dns.army
http://nid-user.mydns.bz
http://nid-store.mydns.bz
http://johnnytogdstudio.xyz
http://ips-govkr.mydns.bz
http://158.247.210.58
http://n-cloud.nid-tax.kro.kr
http://kro.kr
http://n-corp.mydns.bz
http://dns.army
http://nversg.mydns.jp
http://govkr-login.dynv6.net
http://tax-user.nid-gov.dns.army
http://nts-nid.n-login.kro.kr
http://govkr-auth.mydns.bz
http://htax-nid.mydns.vc
http://nts-store.n-login.dns.navy
http://n-login.htax-nid.dns.navy
http://nuser-login.govkr.dns.army
http://n-store.dynv6.net
http://dynv6.net
http://158.247.219.150
158.247.219.150
158.247.210.58
158.247.250.37