Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified
Contents
Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified
Published on
Published on
Published on
Oct 29, 2024
Oct 29, 2024
Oct 29, 2024
Hunt researchers recently uncovered evidence of a suspected North Korean-linked phishing campaign targeting Naver, a major South Korean tech platform. The initial discovery involved an open directory containing phishing pages crafted to steal Naver users' login credentials.
Separately, an unrelated infrastructure cluster was found using domains and certificates that impersonated Apple. Both findings align with tactics commonly linked to cyber operations by Democratic People's Republic of Korea (DPRK) actors.
Details of the Phishing Server
During a routine hunt for malicious infrastructure in AttackCaptureâ¢, our team identified an exposed directory at https://158.247.238[.]155/naver
, hosted on The Constant Company ASN and located in Seoul. The server's file path, geographical location, and open directory prompted a deeper examination.
A closer look at the IP revealed that the server hosts more than 200 domains-a detail that will be covered …
Published on
Published on
Published on
Oct 29, 2024
Oct 29, 2024
Oct 29, 2024
Hunt researchers recently uncovered evidence of a suspected North Korean-linked phishing campaign targeting Naver, a major South Korean tech platform. The initial discovery involved an open directory containing phishing pages crafted to steal Naver users' login credentials.
Separately, an unrelated infrastructure cluster was found using domains and certificates that impersonated Apple. Both findings align with tactics commonly linked to cyber operations by Democratic People's Republic of Korea (DPRK) actors.
Details of the Phishing Server
During a routine hunt for malicious infrastructure in AttackCaptureâ¢, our team identified an exposed directory at https://158.247.238[.]155/naver
, hosted on The Constant Company ASN and located in Seoul. The server's file path, geographical location, and open directory prompted a deeper examination.
A closer look at the IP revealed that the server hosts more than 200 domains-a detail that will be covered …
IoC
http://107.189.16.65
https://visitnhisserver.store/success.html
206.206.125.237
http://appleplus.dnbaletmigardam.top
http://158.247.238.155
185.239.0.42
http://84.32.186.252
https://158.247.238.155/naver
35A101941F438A7D072B31EB3B666E2C31A070DD7CF8099D20B738778FBD3458
http://on206.206.125.237
http://vinetro.info
http://yarzzk.link
http://shelby-cp-ecole.org
http://and185.239.2.170
http://185.239.2.170
158.247.238.155
http://185.239.0.42
http://ulta.appleplus.store
http://159.253.4.64
84.32.186.252
159.253.4.70
http://visitnhisserver.store
http://appleplus1.hydadhybidad2.xyz
http://hostingnhisserver.store
159.253.4.64
185.239.0.39
http://ecolekoenig.top
3201FA0F5D8269E556AEC50F820F17E1AE760CD86E5084BDCCDFE0AFF6430E06
http://185.239.0.39
http://159.253.4.70
185.239.0.43
http://applelplus1.hydadhybidad2.xyz
185.239.2.170
http://tarifaconcursodeacreedores.top
http://158.247.238.155/naver
http://206.206.125.237
http://wrightechltd.link
192.121.17.63
https://mail.naver.com
http://topseven.top
http://domain-www.fnsc-law.info
http://appleplus.sbs
http://192.121.17.63
http://gyvan3-ppfhg.link
https://nextonlinecom.store/
http://file-explorer-aerocenter.org
107.189.16.65
http://appleplus.shop
[email protected]
http://andappleplus.sbs
http://schulen-horw.com
http://185.239.0.43
https://visitnhisserver.store/success.html
206.206.125.237
http://appleplus.dnbaletmigardam.top
http://158.247.238.155
185.239.0.42
http://84.32.186.252
https://158.247.238.155/naver
35A101941F438A7D072B31EB3B666E2C31A070DD7CF8099D20B738778FBD3458
http://on206.206.125.237
http://vinetro.info
http://yarzzk.link
http://shelby-cp-ecole.org
http://and185.239.2.170
http://185.239.2.170
158.247.238.155
http://185.239.0.42
http://ulta.appleplus.store
http://159.253.4.64
84.32.186.252
159.253.4.70
http://visitnhisserver.store
http://appleplus1.hydadhybidad2.xyz
http://hostingnhisserver.store
159.253.4.64
185.239.0.39
http://ecolekoenig.top
3201FA0F5D8269E556AEC50F820F17E1AE760CD86E5084BDCCDFE0AFF6430E06
http://185.239.0.39
http://159.253.4.70
185.239.0.43
http://applelplus1.hydadhybidad2.xyz
185.239.2.170
http://tarifaconcursodeacreedores.top
http://158.247.238.155/naver
http://206.206.125.237
http://wrightechltd.link
192.121.17.63
https://mail.naver.com
http://topseven.top
http://domain-www.fnsc-law.info
http://appleplus.sbs
http://192.121.17.63
http://gyvan3-ppfhg.link
https://nextonlinecom.store/
http://file-explorer-aerocenter.org
107.189.16.65
http://appleplus.shop
[email protected]
http://andappleplus.sbs
http://schulen-horw.com
http://185.239.0.43