Identifying North Korean Kimsuky (APT43) Infrastructure
Contents
Identifying North Korean Kimsuky (APT43) Infrastructure
By LCSC-IE, 17th June 2025
I recently came across a post on X in which “@freedomhack101” shared an IOC potentially related to Kimsuky. So what I wanted to do was try a quick pivot from this, which ultimately ended up leading me down a rabbit hole of Censys and URLscan tabs.
Starting with Censys, we can search for 158.247.215[.]121 to see what data we can observe.
As of 17th June, the services appear to be recently removed, so what we can do is check the most recent services in the historic data, which in this case leads us to the 15th June being the most recent when services where most active.
On 15th June, the host was still active and exposing several services including HTTP (80/443), RDP (3389), WinRM (5985), and HTTP (5357). The IP, assigned to Vultr (AS20473), had reverse DNS resolving to 158.247.215[.]121.vultrusercontent[.]com and forward DNS pointing …
By LCSC-IE, 17th June 2025
I recently came across a post on X in which “@freedomhack101” shared an IOC potentially related to Kimsuky. So what I wanted to do was try a quick pivot from this, which ultimately ended up leading me down a rabbit hole of Censys and URLscan tabs.
Starting with Censys, we can search for 158.247.215[.]121 to see what data we can observe.
As of 17th June, the services appear to be recently removed, so what we can do is check the most recent services in the historic data, which in this case leads us to the 15th June being the most recent when services where most active.
On 15th June, the host was still active and exposing several services including HTTP (80/443), RDP (3389), WinRM (5985), and HTTP (5357). The IP, assigned to Vultr (AS20473), had reverse DNS resolving to 158.247.215[.]121.vultrusercontent[.]com and forward DNS pointing …
IoC
http://sejongcloude.store
http://158.247.204.137
http://coupick.co.kr
http://158.247.192.226
http://kpcon.site
http://27.102.138..10
http://158.247.215.121.vultrusercontent.com
https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_9_amata_rintaro_en.pdf
http://amaisens.site
http://158.247.242.206
http://nid.policegoalsvc.p-e.kr
http://wnsoidos.site
http://kpsa.site
http://nts.departmentedoc.r-e.kr
http://hometx.taxdepartmentsvc.kro.kr
http://brownsix.com
http://158.247.215.121
http://paegovhome.store
http://login.online-mexc.kro.kr
http://mail.ru.php
http://nxczins.site
http://141.164.51.224
http://naverworks.site
http://158.247.247.157
http://141.164.55.2
158.247.242.206
141.164.55.2
158.247.215.121
158.247.204.137
158.247.192.226
158.247.247.157
141.164.51.224
26ba5b01f614a215b948a5700338575412dcff2df972b7696b2c8c3f3b74a723
9947d3f5c4ea436c15a94373cb36e46ada68438d19e5f5fdb1c9bb55e9d140ff
04d14da053c42397c48a54fe61850ddc3a38156514f03759df59473383453042
9b43f670273b6a12b2b6894a9e29157c1859717594e98ccc5fb3eea05e71f4ed
http://158.247.204.137
http://coupick.co.kr
http://158.247.192.226
http://kpcon.site
http://27.102.138..10
http://158.247.215.121.vultrusercontent.com
https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_9_amata_rintaro_en.pdf
http://amaisens.site
http://158.247.242.206
http://nid.policegoalsvc.p-e.kr
http://wnsoidos.site
http://kpsa.site
http://nts.departmentedoc.r-e.kr
http://hometx.taxdepartmentsvc.kro.kr
http://brownsix.com
http://158.247.215.121
http://paegovhome.store
http://login.online-mexc.kro.kr
http://mail.ru.php
http://nxczins.site
http://141.164.51.224
http://naverworks.site
http://158.247.247.157
http://141.164.55.2
158.247.242.206
141.164.55.2
158.247.215.121
158.247.204.137
158.247.192.226
158.247.247.157
141.164.51.224
26ba5b01f614a215b948a5700338575412dcff2df972b7696b2c8c3f3b74a723
9947d3f5c4ea436c15a94373cb36e46ada68438d19e5f5fdb1c9bb55e9d140ff
04d14da053c42397c48a54fe61850ddc3a38156514f03759df59473383453042
9b43f670273b6a12b2b6894a9e29157c1859717594e98ccc5fb3eea05e71f4ed