DPRK Captive Portal Infrastructure Found in Testing
Contents
Taking a break from fake DPRK companies for a while, there was some interesting activity that I recently noticed on 175.45.176.97
. Between May 14th and May 17th, 175.45.176.97 a request to the root of the server returned a 302 and was redirecting to recoshield.com which appears to be a South Korean company that manufacturers paint and windshield protectors.
Headers from the server showed the following:
HTTP/1.1 302 Found
Date: Sun, 17 May 2026 17:09:19 GMT
Server: Apache/2.4.37 (Rocky Linux)
X-Powered-By: PHP/7.4.33
Location: https://www.recoshield.com
Content-Length: 0
Content-Type: text/html; charset=UTF-8
I don’t think Rocky Linux has shown up in the DPRK IP range before. Now that alone might be interesting enough but searching additional directories revealed a few other findings. Poking around the server revealed what appears to be some sort of captive portal framework that was accidentally left exposed to the internet.
/1/ – The Redirect
Viewing http://175.45.176.97/1/
showed a brief snippet of text before immediately loading the Google homepage. A couple of …
. Between May 14th and May 17th, 175.45.176.97 a request to the root of the server returned a 302 and was redirecting to recoshield.com which appears to be a South Korean company that manufacturers paint and windshield protectors.
Headers from the server showed the following:
HTTP/1.1 302 Found
Date: Sun, 17 May 2026 17:09:19 GMT
Server: Apache/2.4.37 (Rocky Linux)
X-Powered-By: PHP/7.4.33
Location: https://www.recoshield.com
Content-Length: 0
Content-Type: text/html; charset=UTF-8
I don’t think Rocky Linux has shown up in the DPRK IP range before. Now that alone might be interesting enough but searching additional directories revealed a few other findings. Poking around the server revealed what appears to be some sort of captive portal framework that was accidentally left exposed to the internet.
/1/ – The Redirect
Viewing http://175.45.176.97/1/
showed a brief snippet of text before immediately loading the Google homepage. A couple of …
IoC
https://www.recoshield.com
http://175.45.176.97/1/
https://www.google.com/favicon.ico
175.45.176.97
[email protected]
03d340f83c70a18f06dd9b98055d08c2
b19fefb66cf87da9a792c55b9020a52a
http://175.45.176.97/1/
https://www.google.com/favicon.ico
175.45.176.97
[email protected]
03d340f83c70a18f06dd9b98055d08c2
b19fefb66cf87da9a792c55b9020a52a