740 Hostnames, 98 Sequential Subdomains, and a Geofence That Only Lets Korea In: Inside a Kimsuky Phishing Factory
DPRK state-sponsored phishing at industrial scale targeting South Korean tax, banking, pension, Naver, and Kakao with IP geofencing and one-time SMS tokens
When @skocherhan flagged 158[.]247[.]219[.]150 with a note about malicious sites on VirusTotal, we expected a shared hosting server with some bad tenants. What we found was a purpose-built North Korean phishing factory impersonating South Korea's tax authority, national pension system, major banks, and the country's most popular web portals -- at a scale that dwarfs most phishing operations we've investigated.
740 unique phishing hostnames. 98 sequential subdomains on a single DDNS pattern. 49 registered domains. 12 operator IPs. And an IP geofence that returns 403 to anyone outside South Korea, ensuring that only the intended victims -- and no security researchers scanning from abroad -- ever see the phishing content.
The Scale
The target IP hosts 98 active subdomains following a sequential naming pattern:
auth-umblog1s.dynv6.net
auth-umblog2s.dynv6.net
auth-umblog3s.dynv6.net
...
auth-umblog98s.dynv6.net
Each subdomain serves a phishing page targeting a different victim or campaign wave. The sequential numbering suggests automated infrastructure provisioning -- the operator has a script that registers subdomains, configures the phishing kit, and deploys in bulk.
But the 98 sequential subdomains on this single IP are just the visible surface. Pivoting through OTX threat intelligence pulses and passive DNS data, we mapped 740 unique hostnames across 49 registered domains and 30+ DDNS providers -- all attributed to the same campaign with HIGH confidence.
Who They're Impersonating
The hostname patterns reveal precisely who Kimsuky is targeting:
| Target | Hostnames | Impersonation |
|---|---|---|
| National Tax Service (NTS) | 91 | Korean tax filing, refund notifications |
| Naver | 61 | Korea's dominant web portal (email, search, news) |
| Auth/credential pages | 240 | Generic login harvesting |
| Invoice/document lures | 236 | Business document social engineering |
| NongHyup Bank / NHIS | 17 | Banking and health insurance |
| National Pension Service | 12 | Pension and social security |
| Kakao | Confirmed | Korea's dominant messaging platform |
The targeting is surgical. National Tax Service impersonation peaks during tax season. Naver and Kakao are the two platforms virtually every South Korean uses daily. NongHyup Bank and the National Pension Service handle financial transactions that generate legitimate notification emails -- perfect templates for phishing lures.
The Geofence
This is why surface-level scanning reports this IP as benign or "Access Denied."
The server performs IP-based geolocation on every request. If the source IP is not in a South Korean address range, the server returns HTTP 403. No phishing content. No login page. Just a rejection.
This means:
- VirusTotal's scanners (mostly US/EU-based) see 403
- URLhaus submissions show empty responses
- Security researchers scanning from outside Korea see nothing
- Only victims clicking links from South Korean IP space see the phishing pages
Combined with one-time session tokens delivered via SMS, each phishing URL works exactly once for exactly one victim. A researcher who obtains a URL from a victim report cannot replay it -- the token is consumed.
The Infrastructure
Twelve operator IPs support the campaign, seven of which expose RDP and WinRM -- Windows management protocols that confirm these are operator workstations, not just web servers:
The operators abuse 30+ Dynamic DNS providers to generate hostnames without registering domains. DDNS services provide free subdomains that can be created and destroyed in seconds, making infrastructure rotation trivial. The 49 registered domains supplement the DDNS hostnames for campaigns requiring more convincing URLs.
All infrastructure runs on The Constant Company (Vultr) -- AS20473. Vultr's VPS instances can be provisioned programmatically via API, enabling rapid infrastructure standup and teardown.
Attribution
HIGH confidence: Kimsuky (APT43) -- Democratic People's Republic of Korea
Three independent AlienVault OTX threat intelligence pulses attribute this infrastructure to Kimsuky. The attribution is corroborated by:
- DDNS provider abuse pattern matching documented Kimsuky TTPs
- South Korean government and financial institution targeting
- IP geofencing to Korean address space
- Sequential subdomain generation technique
- One-time SMS token delivery mechanism
- Infrastructure on Vultr (documented Kimsuky preference)
Kimsuky (also tracked as APT43, Velvet Chollima, Thallium, Black Banshee) is attributed to North Korea's Reconnaissance General Bureau (RGB). They specialize in credential harvesting and social engineering operations targeting South Korean government, military, academic, and think tank personnel.
1,206 IOCs
The full IOC set extracted from this investigation:
- 740 unique hostnames
- 49 registered domains
- 12 C2/operator IPs
- 350+ phishing URLs
- All published in our STIX bundle and raw text files
Indicators of Compromise
Primary IP
158[.]247[.]219[.]150(Vultr, AS20473)
Sequential Pattern
auth-umblog[1-98]s[.]dynv6[.]net(98 active subdomains)
Detection
Detection rules and IOCs:
- YARA rules: kimsuky_blog_harvest.yar (3 rules: DDNS config detection, sequential subdomain pattern, geofencing fingerprint)
- Suricata rules: breakglass-all.rules (15 rules covering auth-umblog DNS queries, DDNS provider abuse, Kakao/NTS impersonation, operator IP ranges)
- STIX bundle: mass-c2-158-247-219.json (35 objects)
- IOCs by investigation: mass-c2-158-247-219/ (740 hostnames, 49 domains, 12 IPs)
- Full IOC feed: feed.json
Hunt Queries
- DNS queries matching
auth-umblog*s.dynv6.netpattern - Connections to 158.247.219.150 from corporate endpoints
- Any of the 740 hostnames or 49 domains in proxy/DNS logs
- Full hostname and domain lists in the raw/ directory of our investigation
h/t @skocherhan for flagging the IP.