Pivoting on DPRK IT Worker Infrastructure
Contents
Pulling the Thread: Pivoting on DPRK IT Worker Infrastructure
Team Cymru recently published a solid analysis of fake IT worker infrastructure, pivoting from luckyguys[.]site
using X.509 certificates and NetFlow data. If you haven’t read it, start there.
One question came to mind after reading it: are there other domains following the same naming pattern, registered around the same time?
The search
I searched for domains following a luckyguys naming convention, combined with similar registration timing and exposed services. One result stood out: luckyguys[.]cloud
. The domain was registered January 6, 2026, one month after luckyguys[.]site
(December 2, 2025) with the same registrar (Hostinger).
luckyguys[.]site WHOIS record |
luckyguys[.]cloud WHOIS record |
It also hosts a Gitea instance. These characteristics are consistent with those observed on luckyguys[.]site
.
git.luckyguys[.]site hosting a Gitea instance (source: Validin) |
luckyguys[.]cloud displaying a Gitea Welcome Page (via urlscan.io) |
What made it interesting
IP 45.15.167[.]146
hosts all luckyguys[.]cloud
subdomains. Its PTR record resolves to rbluckyguys[.]com
. And the exposed login panel references “RB …
Team Cymru recently published a solid analysis of fake IT worker infrastructure, pivoting from luckyguys[.]site
using X.509 certificates and NetFlow data. If you haven’t read it, start there.
One question came to mind after reading it: are there other domains following the same naming pattern, registered around the same time?
The search
I searched for domains following a luckyguys naming convention, combined with similar registration timing and exposed services. One result stood out: luckyguys[.]cloud
. The domain was registered January 6, 2026, one month after luckyguys[.]site
(December 2, 2025) with the same registrar (Hostinger).
luckyguys[.]site WHOIS record |
luckyguys[.]cloud WHOIS record |
It also hosts a Gitea instance. These characteristics are consistent with those observed on luckyguys[.]site
.
git.luckyguys[.]site hosting a Gitea instance (source: Validin) |
luckyguys[.]cloud displaying a Gitea Welcome Page (via urlscan.io) |
What made it interesting
IP 45.15.167[.]146
hosts all luckyguys[.]cloud
subdomains. Its PTR record resolves to rbluckyguys[.]com
. And the exposed login panel references “RB …
IoC
http://rbluckyguys.com
http://clients.socket.luckyguys.cloud
http://admin.luckyguys.cloud
http://check.luckyguys.cloud
http://rustdesk.luckyguys.cloud
http://luckyguys.cloud
http://manage.luckyguys.cloud
http://msg.luckyguys.cloud
http://file.luckyguys.cloud
http://main.socket.luckyguys.cloud
http://ext.luckyguys.cloud
http://git.luckyguys.cloud
http://api.luckyguys.cloud
http://luckyguys.cloud/login
http://rdweb.luckyguys.cloud
http://message.luckyguys.cloud
http://socket.luckyguys.cloud
http://git.luckyguys.site
http://chat.luckyguys.cloud
http://45.15.167.146
http://cdn.luckyguys.cloud
http://luckyguys.site
http://luckyguys.site/login
45.15.167.146
http://clients.socket.luckyguys.cloud
http://admin.luckyguys.cloud
http://check.luckyguys.cloud
http://rustdesk.luckyguys.cloud
http://luckyguys.cloud
http://manage.luckyguys.cloud
http://msg.luckyguys.cloud
http://file.luckyguys.cloud
http://main.socket.luckyguys.cloud
http://ext.luckyguys.cloud
http://git.luckyguys.cloud
http://api.luckyguys.cloud
http://luckyguys.cloud/login
http://rdweb.luckyguys.cloud
http://message.luckyguys.cloud
http://socket.luckyguys.cloud
http://git.luckyguys.site
http://chat.luckyguys.cloud
http://45.15.167.146
http://cdn.luckyguys.cloud
http://luckyguys.site
http://luckyguys.site/login
45.15.167.146