216.73.217.22

A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail

· Published 28/04/2026 10:06 · Modified 28/04/2026 14:35

Export JSON

Essential information

Published
28/04/2026 10:06
Modified
28/04/2026 14:35
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
apt43 credential harvesting ddns rotation dprk korean nts naver phishing infrastructure vultr seoul
Tags
2026-04-28 apt43 credential harvesting ddns rotation dprk korean nts naver phishing infrastructure vultr seoul
Related entities
45 indicators, 45 observables, 1 intrusion sets (apt), 47 others

Description

This analysis documents a third VPS (158.247.210.58) associated with Kimsuky operations, featuring over 60 domains across an 18-month period of systematic infrastructure. The actor demonstrates deliberate rotation through seven DDNS providers to evade blocklisting while maintaining the same backend VPS since at least September 2020. The domains systematically impersonate , Korean National Tax Service (HomeTax), and government portals using prefixes like nid-user, n-store, nts-auth, and htax-login. Currently, 31 domains actively resolve while web ports remain closed, indicating a parked and ready operational posture. The infrastructure sits in AS20473 alongside two previously documented boxes, demonstrating the actor's clear preference for this provider and geographic proximity to South Korean targets.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Indicators (45)

Observables (45)

  • johnnytogdstudio.xyz
  • htax-nid.mydns.vc
  • nts-login.n-auth.kro.kr
  • n-auth.nts-login.dns.navy
  • nts-auth.mydns.vc
  • n-user.ips-gov.dns.army
  • n-store.nts-user.kro.kr
  • n-login.htax-nid.dns.navy
  • nid-user.mydns.bz
  • n-cloud.nid-tax.kro.kr
  • tax-nid.mydns.bz
  • nuser-login.govkr.dns.army
  • n-user.htax-auth.kro.kr
  • htax-login.n-cloud.kro.kr
  • tax-login.n-corp.kro.kr
  • govkr-nid.tax-auth.dns.army
  • nid-store.mydns.bz
  • nuser-login.mydns.bz
  • nid-auth.n-cloud.dns.navy
  • nid-login.nts-gov.dns.army
  • govkr-tax.nid-auth.kro.kr
  • nid-login.mydns.vc
  • htax-login.nts-kr.dns.army
  • govkr-auth.mydns.bz
  • n-store.mydns.vc
  • n-corp.htax-auth.dns.navy
  • htax-nid.n-user.dns.navy
  • htax-login.mydns.vc
  • nts-nid.n-login.kro.kr
  • nts-login.mydns.vc
  • n-auth.mydns.bz
  • nid-user.nts-auth.dns.army
  • tax-login.mydns.vc
  • nid-store.govkr.dns.army
  • n-cloud.htax-store.dns.navy
  • n-cloud.mydns.bz
  • nid-nts.n-store.kro.kr
  • n-corp.mydns.bz
  • nid-gov.tax-store.kro.kr
  • ips-govkr.mydns.bz
  • n-store.tax-nid.dns.navy
  • nts-store.n-login.dns.navy
  • htax-user.govkr.kro.kr
  • tax-user.nid-gov.dns.army
  • mdlog.mydns.vc

Intrusion sets (APT) (1)

  • Kimsuky Black BansheeVelvet Chollima
    The MITRE Corporation Confidence 100

    [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33

Others (47)

  • Finance
  • Government
  • nid-user.mydns.bz
  • nid-store.govkr.dns.army
  • nts-store.n-login.dns.navy
  • nuser-login.mydns.bz
  • n-cloud.htax-store.dns.navy
  • nid-auth.n-cloud.dns.navy
  • htax-login.nts-kr.dns.army
  • nts-nid.n-login.kro.kr
  • johnnytogdstudio.xyz
  • mdlog.mydns.vc
  • nid-store.mydns.bz
  • htax-login.mydns.vc
  • nid-user.nts-auth.dns.army
  • nts-login.mydns.vc
  • nid-login.mydns.vc
  • n-corp.htax-auth.dns.navy
  • tax-login.mydns.vc
  • htax-nid.mydns.vc
  • n-cloud.nid-tax.kro.kr
  • n-user.ips-gov.dns.army
  • htax-nid.n-user.dns.navy
  • tax-user.nid-gov.dns.army
  • n-store.mydns.vc
  • govkr-auth.mydns.bz
  • n-corp.mydns.bz
  • n-store.nts-user.kro.kr
  • nid-login.nts-gov.dns.army
  • n-login.htax-nid.dns.navy
  • tax-nid.mydns.bz
  • n-cloud.mydns.bz
  • govkr-tax.nid-auth.kro.kr
  • n-user.htax-auth.kro.kr
  • ips-govkr.mydns.bz
  • htax-login.n-cloud.kro.kr
  • n-auth.nts-login.dns.navy
  • htax-user.govkr.kro.kr
  • tax-login.n-corp.kro.kr
  • n-store.tax-nid.dns.navy
  • nuser-login.govkr.dns.army
  • nid-nts.n-store.kro.kr
  • nts-auth.mydns.vc
  • n-auth.mydns.bz
  • govkr-nid.tax-auth.dns.army
  • nts-login.n-auth.kro.kr
  • nid-gov.tax-store.kro.kr

External references