A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail
31 domains still actively resolve. The actor rotates through 7 DDNS providers to evade blocklisting while maintaining the same backend VPS for over 5 years.
Published: April 20, 2026 Author: Breakglass Intelligence Tags: Kimsuky, APT43, DPRK, Credential Harvesting, Naver, Korean NTS, DDNS, Vultr Seoul
This is our sixth Kimsuky infrastructure post. Over the past several weeks, we have documented a pattern of Vultr Seoul VPS abuse by actors consistent with the Kimsuky cluster — from the 740-hostname phishing factory on 158.247.219.150, to the CHM/NidLog C2 payload recovery, to the Telegram bot and IPFS harvester cell, to the Udalyonka htdocs dump on 158.247.250.37.
Today we document a third Vultr Seoul VPS — 158.247.210.58 — with over 60 domains observed in passive DNS across 18 months, systematic impersonation of Naver, the Korean National Tax Service (NTS/HomeTax), and Korean government portals, and historical records placing this box under actor control since at least September 2020.
Credit to @skocherhan for the initial tip on this IP and for extensive prior IOC sharing across multiple OTX pulses. Their work cataloging Kimsuky infrastructure has been invaluable to researchers across the community.
Infrastructure Summary
| Attribute | Value |
|---|---|
| IP Address | 158.247.210.58 |
| ASN | AS20473 (The Constant Company / Vultr) |
| Hosting Region | Seoul, South Korea |
| First Seen | September 2020 (johnnytogdstudio[.]xyz) |
| Active Domain Window | October 2025 – April 2026 (18 months of DDNS rotation) |
| Total Domains Observed | 60+ |
| Currently Resolving | 31 |
| Web Ports (Current) | Closed / Filtered |
| Status | Parked — infrastructure ready to reactivate |
This is the third Vultr Seoul VPS we have documented for this cluster. The other two:
- 158.247.219.150 — 740 hostnames, 98 sequential subdomains, geofenced Korean phishing (post)
- 158.247.250.37 — Udalyonka htdocs dump, post-Phrack operational server (post)
All three sit in the same Vultr Seoul AS20473 allocation. The actor shows a clear preference for this provider and region — placing C2 and phishing infrastructure geographically close to South Korean targets to minimize latency and blend with legitimate Korean hosting.
Domain Naming Patterns
The 60+ domains fall into three systematic impersonation categories:
Naver Impersonation
Naver is South Korea's dominant portal — search, email, cloud storage, shopping. Kimsuky's credential harvesting campaigns overwhelmingly target Naver accounts. The domains on this box use prefixes designed to pass casual inspection in a URL bar or phishing email:
nid-user— mimics Naver's NID (Naver ID) authentication systemn-store— mimics Naver Store / Shoppingnuser-login— generic Naver login portaln-cloud— mimics Naver Cloud Platformn-corp— mimics Naver corporate servicesnversg— abbreviated "Naver" variant
Korean National Tax Service (NTS / HomeTax)
South Korea's National Tax Service operates the HomeTax (홈택스) online filing system, used by virtually every Korean taxpayer and business. Tax season phishing is a known Kimsuky tactic:
nts-— National Tax Service prefixtax-— generic tax servicehtax-— HomeTax abbreviationnts-auth— NTS authentication portal
Korean Government
Broader government service impersonation:
govkr— mimics go.kr, the Korean government domainips-— mimics various government information systems
DDNS Provider Rotation
One of the most operationally interesting aspects of this box is the deliberate rotation through DDNS providers over the 18-month observation window. Rather than registering traditional domains, the actor exclusively uses dynamic DNS services — cheap, disposable, and requiring no identity verification.
| Period | DDNS Providers Used |
|---|---|
| Oct – Dec 2025 | mydns[.]vc, mydns[.]bz |
| Jan – Feb 2026 | mydns[.]bz |
| Feb – Mar 2026 | mydns[.]vc, mydns[.]jp, dynv6[.]net |
| Mar – Apr 2026 | dynv6[.]net, dns[.]army, dns[.]navy, kro[.]kr |
The rotation pattern suggests the actor migrates to new DDNS providers as old ones are flagged or reported. The shift from the mydns family to dynv6.net and then to the more obscure dns.army / dns.navy / kro.kr services in March–April 2026 may indicate awareness of blocklisting on earlier providers.
The kro.kr domain is notable — it is a Korean free subdomain service, adding another layer of legitimacy for Korean-language phishing campaigns.
Full Domain Inventory
The following table represents all domains observed resolving to 158.247.210.58 during the October 2025 – April 2026 window. Domains marked Active were still resolving at time of publication.
Currently Resolving (31 domains)
| Domain | Category | DDNS Provider | Status |
|---|---|---|---|
| ntdersg[.]mydns[.]jp | Naver/NTS | mydns.jp | Active |
| nversg[.]mydns[.]jp | Naver | mydns.jp | Active |
| n-store[.]nskrm[.]dynv6[.]net | Naver Store | dynv6.net | Active |
| mdlog[.]mydns[.]vc | Logging/Exfil | mydns.vc | Active |
| nid-user[.]nts-auth[.]dns[.]army | NTS Auth | dns.army | Active |
| n-cloud[.]htax-store[.]dns[.]navy | HomeTax | dns.navy | Active |
| nid-login[.]nts-gov[.]dns[.]army | NTS/Gov | dns.army | Active |
| n-corp[.]htax-auth[.]dns[.]navy | HomeTax Corp | dns.navy | Active |
| nuser-login[.]govkr[.]dns[.]army | Gov Login | dns.army | Active |
| n-store[.]tax-nid[.]dns[.]navy | Tax/Store | dns.navy | Active |
| htax-login[.]nts-kr[.]dns[.]army | HomeTax Login | dns.army | Active |
| nid-auth[.]n-cloud[.]dns[.]navy | Naver Cloud | dns.navy | Active |
| n-user[.]ips-gov[.]dns[.]army | Gov IPS | dns.army | Active |
| nts-store[.]n-login[.]dns[.]navy | NTS Store | dns.navy | Active |
| govkr-nid[.]tax-auth[.]dns[.]army | Gov/Tax Auth | dns.army | Active |
| n-login[.]htax-nid[.]dns[.]navy | HomeTax NID | dns.navy | Active |
| tax-user[.]nid-gov[.]dns[.]army | Tax/Gov | dns.army | Active |
| n-auth[.]nts-login[.]dns[.]navy | NTS Login | dns.navy | Active |
| nid-store[.]govkr[.]dns[.]army | Gov Store | dns.army | Active |
| htax-nid[.]n-user[.]dns[.]navy | HomeTax NID | dns.navy | Active |
| nts-login[.]n-auth[.]kro[.]kr | NTS Login | kro.kr | Active |
| n-cloud[.]nid-tax[.]kro[.]kr | Naver/Tax | kro.kr | Active |
| htax-user[.]govkr[.]kro[.]kr | HomeTax/Gov | kro.kr | Active |
| nid-nts[.]n-store[.]kro[.]kr | NTS/Store | kro.kr | Active |
| tax-login[.]n-corp[.]kro[.]kr | Tax/Corp | kro.kr | Active |
| n-user[.]htax-auth[.]kro[.]kr | HomeTax Auth | kro.kr | Active |
| nts-nid[.]n-login[.]kro[.]kr | NTS/NID | kro.kr | Active |
| govkr-tax[.]nid-auth[.]kro[.]kr | Gov/Tax | kro.kr | Active |
| n-store[.]nts-user[.]kro[.]kr | NTS/Store | kro.kr | Active |
| htax-login[.]n-cloud[.]kro[.]kr | HomeTax/Cloud | kro.kr | Active |
| nid-gov[.]tax-store[.]kro[.]kr | Gov/Tax | kro.kr | Active |
Historical / No Longer Resolving (30+ domains)
| Domain | Category | DDNS Provider | Observation Period |
|---|---|---|---|
| nid-login[.]mydns[.]vc | Naver Login | mydns.vc | Oct – Dec 2025 |
| n-store[.]mydns[.]vc | Naver Store | mydns.vc | Oct – Nov 2025 |
| nts-auth[.]mydns[.]vc | NTS Auth | mydns.vc | Oct – Dec 2025 |
| htax-login[.]mydns[.]vc | HomeTax Login | mydns.vc | Nov – Dec 2025 |
| nid-user[.]mydns[.]bz | Naver NID | mydns.bz | Oct 2025 – Feb 2026 |
| n-cloud[.]mydns[.]bz | Naver Cloud | mydns.bz | Nov 2025 – Jan 2026 |
| govkr-auth[.]mydns[.]bz | Gov Auth | mydns.bz | Dec 2025 – Feb 2026 |
| tax-nid[.]mydns[.]bz | Tax/NID | mydns.bz | Jan – Feb 2026 |
| nuser-login[.]mydns[.]bz | Naver Login | mydns.bz | Oct – Dec 2025 |
| n-corp[.]mydns[.]bz | Naver Corp | mydns.bz | Nov 2025 – Jan 2026 |
| nts-login[.]mydns[.]vc | NTS Login | mydns.vc | Nov – Dec 2025 |
| htax-nid[.]mydns[.]vc | HomeTax NID | mydns.vc | Dec 2025 |
| n-auth[.]mydns[.]bz | Naver Auth | mydns.bz | Jan – Feb 2026 |
| nid-store[.]mydns[.]bz | Naver Store | mydns.bz | Dec 2025 – Jan 2026 |
| tax-login[.]mydns[.]vc | Tax Login | mydns.vc | Oct – Nov 2025 |
| ips-govkr[.]mydns[.]bz | Gov IPS | mydns.bz | Jan – Feb 2026 |
| n-login[.]mydns[.]jp | Naver Login | mydns.jp | Feb – Mar 2026 |
| nts-user[.]mydns[.]jp | NTS User | mydns.jp | Feb – Mar 2026 |
| htax-auth[.]mydns[.]jp | HomeTax Auth | mydns.jp | Feb – Mar 2026 |
| nid-tax[.]mydns[.]jp | NID/Tax | mydns.jp | Mar 2026 |
| n-store[.]dynv6[.]net | Naver Store | dynv6.net | Feb – Mar 2026 |
| govkr-login[.]dynv6[.]net | Gov Login | dynv6.net | Mar 2026 |
| nts-nid[.]dynv6[.]net | NTS/NID | dynv6.net | Mar 2026 |
| htax-store[.]dynv6[.]net | HomeTax Store | dynv6.net | Mar 2026 |
| n-user[.]dynv6[.]net | Naver User | dynv6.net | Feb – Mar 2026 |
| johnnytogdstudio[.]xyz | Unknown (historical) | Traditional | Sep 2020 – Jun 2021 |
The 5-Year Trail
The oldest passive DNS record for 158.247.210.58 ties back to johnnytogdstudio[.]xyz, which resolved to this IP from approximately September 2020 through June 2021. This places the VPS under actor control for over five years — a remarkably long tenure for a single cloud VPS.
The gap between June 2021 and October 2025 does not necessarily mean the box was idle. DDNS domains leave lighter passive DNS footprints than traditional domains, and the box may have been in active use during this period with domains that were not captured by the passive DNS sources available to us.
A five-year VPS is operationally significant. Monthly Vultr billing requires a payment method, and maintaining a single box this long suggests either a compromised payment instrument with a long lifespan or operational accounts that the actor considers safe from takedown.
Attribution and Clustering
We assess with high confidence that 158.247.210.58 belongs to the same operational cluster as the two previously documented Vultr Seoul boxes. The basis for this assessment:
- Same ASN and region — AS20473 (Vultr), Seoul datacenter, consistent with all prior boxes
- Identical domain naming conventions —
nid-,n-store,n-cloud,nts-,htax-prefixes match the vocabulary observed on 158.247.219.150 and 158.247.250.37 - DDNS provider overlap —
mydnsfamily anddynv6.netusage consistent with prior infrastructure - Target set — Exclusive focus on Naver, NTS/HomeTax, and Korean government — the canonical Kimsuky target triad
- Consistency with known reporting — Matches the "Million OK!!!!" pattern documented by Hunt.io and aligns with indicators in FBI Flash AC-000001-MW (January 2026)
@skocherhan has published 4 OTX pulses referencing this IP with up to 1,160 indicators across the cluster. Their longitudinal tracking of Kimsuky DDNS infrastructure has been instrumental in mapping the scope of this operation.
Current Operational Status
As of April 20, 2026:
- All web-facing ports (80, 443, 8080, 8443) are closed or filtered — no active phishing pages are being served
- 31 domains still actively resolve to 158.247.210.58
- DNS records are being maintained — the actor is keeping these domains pointed at the box
This is a parked and ready posture. The actor has pre-staged domain infrastructure that can be activated in minutes by opening a web port and deploying phishing kits. The domains are already built with convincing naming and distributed across multiple DDNS providers for redundancy.
This pattern — maintaining dormant infrastructure with live DNS — is consistent with Kimsuky's operational tempo. Campaigns are activated for brief windows during phishing pushes (often aligned with Korean tax deadlines, corporate reporting periods, or geopolitical events), then ports are closed while the DNS stays warm.
What This Report Adds to the Public Record
Kimsuky's use of DDNS services and Vultr Seoul infrastructure is well-documented by multiple research teams, including Hunt.io, AhnLab, and numerous independent researchers. @skocherhan's OTX pulses already catalog many of these indicators.
What this post contributes:
- A third Vultr Seoul node mapped to the same operational cluster, expanding the known infrastructure footprint
- 18-month DDNS rotation timeline showing deliberate provider migration as a detection evasion technique
- Full domain inventory with categorization by impersonation target and observation window
- 5-year infrastructure tenure evidence via the johnnytogdstudio[.]xyz historical record
- Current operational status — parked with 31 live domains, ready for reactivation
Researchers with additional passive DNS data covering the June 2021 – October 2025 gap for this IP are encouraged to reach out. There are likely additional domains from that period that would further illuminate this actor's operational patterns.
IOC Table
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| IPv4 | 158.247.210[.]58 | Primary C2/phishing VPS (Vultr Seoul, AS20473) |
| Domain | johnnytogdstudio[.]xyz | Historical domain, Sep 2020 – Jun 2021 |
| Domain | ntdersg[.]mydns[.]jp | Active, Naver/NTS impersonation |
| Domain | nversg[.]mydns[.]jp | Active, Naver impersonation |
| Domain | n-store[.]nskrm[.]dynv6[.]net | Active, Naver Store impersonation |
| Domain | mdlog[.]mydns[.]vc | Active, logging/exfiltration |
| Domain | nid-user[.]nts-auth[.]dns[.]army | Active, NTS authentication impersonation |
| Domain | n-cloud[.]htax-store[.]dns[.]navy | Active, HomeTax impersonation |
| Domain | nid-login[.]nts-gov[.]dns[.]army | Active, NTS/Gov impersonation |
| Domain | n-corp[.]htax-auth[.]dns[.]navy | Active, HomeTax Corp impersonation |
| Domain | nuser-login[.]govkr[.]dns[.]army | Active, Gov login impersonation |
| Domain | nts-login[.]n-auth[.]kro[.]kr | Active, NTS login impersonation |
DDNS Providers Used
| Provider | Period | Notes |
|---|---|---|
| mydns[.]vc | Oct 2025 – Mar 2026 | First observed provider |
| mydns[.]bz | Oct 2025 – Feb 2026 | Concurrent with mydns.vc |
| mydns[.]jp | Feb – Mar 2026 | Brief usage window |
| dynv6[.]net | Feb – Apr 2026 | Transition provider |
| dns[.]army | Mar – Apr 2026 | Current, military TLD |
| dns[.]navy | Mar – Apr 2026 | Current, military TLD |
| kro[.]kr | Mar – Apr 2026 | Current, Korean free subdomain |
Related Infrastructure (Prior Posts)
| IP | Context | Breakglass Post |
|---|---|---|
| 158.247.219[.]150 | 740-hostname phishing factory | Post 3746 |
| 158.247.250[.]37 | Udalyonka htdocs dump | Post 3758 |
References
- FBI Flash AC-000001-MW (January 2026)
- Hunt.io — "Million OK!!!!" Kimsuky pattern analysis
- @skocherhan — OTX pulses (4 pulses, up to 1,160 indicators)
- AhnLab — Kimsuky DDNS infrastructure reporting
If you have additional context, corrections, or prior work on any of the indicators in this post, please reach out — we are happy to credit and cross-reference.