A Telegram Bot Token, an IPFS-Hosted Payload, and a BaoTa Panel in Guangdong: Inside a Second Kimsuky Phishing Cell
Telegram exfil token extracted from JavaScript, takedown-proof IPFS credential harvester, and a Chinese server management panel linking to Guangdong
Two days after we published our Kimsuky phishing factory investigation — 740 hostnames, 98 sequential subdomains, IP geofencing — @skocherhan flagged a second cluster of Kimsuky domains targeting webmail, Zoom meetings, and Naver accounts. We investigated expecting overlap. Instead, we found a completely separate operational cell with its own infrastructure, its own techniques, and two critical artifacts the first cell didn't expose: a Telegram bot token for real-time credential exfiltration, and an IPFS-hosted JavaScript harvester that makes traditional takedown impossible.
The Telegram Bot
Embedded in the Zoom phishing page's client-side JavaScript — in cleartext:
- Bot Token:
7756706006:AAFeJI-PAodEoxC-OMS1XHQFDv2XdR_tOFk - Chat ID:
-1002445522943
When a victim enters credentials on the fake Zoom meeting page, the JavaScript immediately POSTs the email, password, and victim's IP address (resolved via ipify.org) to this Telegram bot. The operator receives stolen credentials in real time on their phone.
With this token, a defender could monitor the channel, observe credential theft in progress, and potentially identify the operator's Telegram account.
The IPFS Harvester
Every webmail and Naver phishing page loads a 23KB obfuscated JavaScript file from IPFS:
CID: bafkreibo2imbts2at4vudcnu2frf4qxp62qjxm2zsesegokwe25jlebpde
IPFS — the InterPlanetary File System — is a distributed storage network. Once a file is pinned to IPFS, it exists on every node that has requested it. There is no single server to send a takedown request to. No hosting provider to contact. The file persists as long as any node in the network caches it.
This is a deliberate infrastructure choice. The phishing pages themselves can be taken down from their hosting, but the credential harvesting logic lives on IPFS and can be referenced from any new phishing page with a single script tag.
Four Campaigns, One Cell
| Campaign | Subdomains | Target |
|---|---|---|
| Roundcube Webmail | 6 (webmail-autho/authb/authblk on gcifa.com + sxgbk.com) | Corporate email credentials |
| Zoom Meeting | 2 (zoom-meeting on izzgw.com + myhscnow.com) | Meeting participants, corporate accounts |
| Naver Portal | 1+ | Korean personal accounts |
| OAuth with FingerprintJS | 2+ | Tracked credential harvesting |
The Zoom phishing pages include a hardcoded victim: Henan Tendeli Metallurgical Materials Co., Ltd — a Chinese metallurgical company with email sales01@htmmalufoil[.]com. This suggests targeted spearphishing of specific companies, not spray-and-pray.
The BaoTa Panel
The primary server's FTP certificate reveals:
O=BT-PANEL, L=Dongguan, ST=Guangdong, C=CN
BaoTa (BT-Panel) is a Chinese server management platform popular in mainland China. The certificate was generated in Dongguan, Guangdong Province. This is either a Chinese-operated server or infrastructure procured from a Chinese hosting provider that pre-installs BaoTa.
For a DPRK-attributed operation, Chinese infrastructure is expected — North Korean cyber operations frequently use Chinese hosting and transit providers.
Two Cells, One Campaign
This infrastructure is completely separate from our Blog Harvest investigation:
| Aspect | Blog Harvest (prior) | This Cell |
|---|---|---|
| IP | 158.247.219.150 (Vultr) | ColoCrossing AS36352 |
| Domains | 98 sequential DDNS | Registered domains (gcifa.com, sxgbk.com) |
| Hosting | US VPS | ColoCrossing + Chinese BaoTa |
| Exfil | Server-side | Telegram bot + IPFS JavaScript |
| Geofencing | Korean IPs only | Not observed |
| Targeting | Korean gov/finance | Webmail + Zoom + Chinese companies |
Same attribution (Kimsuky/APT43), different operational unit. This is consistent with how DPRK cyber operations are structured — multiple cells operating independently under the same strategic direction.
The Open Directory
linkgrid[.]ink — discovered through infrastructure pivoting — serves as a phishing asset repository with browsable directory listings. It hosts kits for Roundcube, Rackspace, and other services, active since May 2024. It shares the same Cloudflare account (asa/emerson NS pair) as ryship.com, linking multiple campaign domains to a single operator account.
Indicators of Compromise
Network Indicators
- webmail-autho/authb/authblk[.]gcifa[.]com
- webmail-autho/authb/authblk[.]sxgbk[.]com
- zoom-meeting[.]izzgw[.]com
- zoom-meeting[.]myhscnow[.]com
- spoint-share[.]pidware[.]com
- linkgrid[.]ink (phishing kit repository)
- 172[.]245[.]241[.]100 (primary)
Telegram Exfil
- Bot Token:
7756706006:AAFeJI-PAodEoxC-OMS1XHQFDv2XdR_tOFk - Chat ID:
-1002445522943
IPFS
- CID:
bafkreibo2imbts2at4vudcnu2frf4qxp62qjxm2zsesegokwe25jlebpde
Detection
Six YARA rules and eleven Suricata signatures are available on our GitHub:
A Telegram token in cleartext. A credential harvester on IPFS that can't be taken down. A BaoTa panel certificate from Guangdong. Investigation conducted autonomously by GHOST -- Breakglass Intelligence.
h/t @skocherhan for the IOCs.