Kimsuky/APT43 Phishing Infrastructure: A Technical Evolution
Contents
Kimsuky/APT43 Phishing Infrastructure: A Technical Evolution
Disclaimer
IMPORTANT: This document contains real IP addresses, domains, and technical indicators related to malicious activity. This information is provided for research, defensive, and educational purposes only. Readers are strongly encouraged to use this information responsibly and ethically. Do not attempt to access, scan, or interact with any of the mentioned infrastructure without proper authorization. Misuse of this information could potentially violate laws and regulations in various jurisdictions.
Introduction
This document provides a detailed technical walkthrough of the phishing infrastructure used by the Kimsuky/APT43 threat actor, based on forensic analysis of Apache web server log files leaked during the recent “APT Takedown”. The infrastructure shows a sophisticated, evolving operation that targeted South Korean government and military entities over a period of several months in 2025.
The analysis is based on extensive examination of:
- Apache access logs (access.log.1 through access.log.14.gz)
- Apache error logs (error.log.1 through error.log.14.gz)
- Virtual host configuration logs …
Disclaimer
IMPORTANT: This document contains real IP addresses, domains, and technical indicators related to malicious activity. This information is provided for research, defensive, and educational purposes only. Readers are strongly encouraged to use this information responsibly and ethically. Do not attempt to access, scan, or interact with any of the mentioned infrastructure without proper authorization. Misuse of this information could potentially violate laws and regulations in various jurisdictions.
Introduction
This document provides a detailed technical walkthrough of the phishing infrastructure used by the Kimsuky/APT43 threat actor, based on forensic analysis of Apache web server log files leaked during the recent “APT Takedown”. The infrastructure shows a sophisticated, evolving operation that targeted South Korean government and military entities over a period of several months in 2025.
The analysis is based on extensive examination of:
- Apache access logs (access.log.1 through access.log.14.gz)
- Apache error logs (error.log.1 through error.log.14.gz)
- Virtual host configuration logs …
IoC
https://websecuritynotices.com/request.php?i=BASE64_EMAIL&dot.png
https://download.sponetcloud.com/log/
https://mail.dcc.mil.kr/
https://www.websecuritynotices.com/generator.php
https://download.sponetcloud.com/generator.php
https://www.websecuritynotices.com/log/
136.0.0.0
79.110.55.14
52.228.152.193
79.110.55.3
79.110.55.11
1.221.137.163
185.194.178.17
79.110.55.5
47.236.172.160
149.87.155.12
210.117.199.101
127.0.0.0
109.0.0.0
185.194.178.6
194.50.16.252
185.219.141.231
79.110.55.10
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
https://download.sponetcloud.com/log/
https://mail.dcc.mil.kr/
https://www.websecuritynotices.com/generator.php
https://download.sponetcloud.com/generator.php
https://www.websecuritynotices.com/log/
136.0.0.0
79.110.55.14
52.228.152.193
79.110.55.3
79.110.55.11
1.221.137.163
185.194.178.17
79.110.55.5
47.236.172.160
149.87.155.12
210.117.199.101
127.0.0.0
109.0.0.0
185.194.178.6
194.50.16.252
185.219.141.231
79.110.55.10
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]