Kimsuky Left the Front Door Open Again: Pulling a Live Naver Phishing Kit Off a Vultr Seoul Box Eight Months After the Phrack Leak

TL;DR

On April 8, 2026, the threat intel researcher @skocherhan dropped a short #DPRK #Russia post pointing at verify[.]udalyonka[.]com / 158[.]247[.]250[.]37 on AS20473 (The Constant Company, LLC / Vultr). We picked it up overnight and walked the box. What we found, with the front door already open:

• An open directory listing at the web root of 158.247.250.37
• A 1.3 MB backup of the live phishing kit sitting in that listing, named htdocs.7z, captured from the running server on 2026-02-10
• 269 files across 24 directories inside the archive
• Three complete phishing kits (blog/, nportal/, uinvoice/) built on a modified Glype / PHProxy v0.5b2 reverse proxy, configured to intercept Naver credentials and full session cookies in real time
• Seventeen compromised SMTP accounts hardcoded across two PHPMailer deployments (send_new/, send2/) — Russian mail.ru ecosystem (mail.ru, list.ru, inbox.ru, bk.ru, rambler.ru, internet.ru) plus Zohomail and Inbox.lv
• A confirmed South Korean victim (ain8494@naver.com) phished on February 10, 2026 from an SK Broadband mobile IP on Android 10 / Chrome 144 — credentials, ISP, device, and full Naver session cookies all captured by the proxy and logged to disk in their own per-victim directory
• An extreme-ip-lookup.com API key (nOaZbY9mHVAfAZ8yeAcC) hardcoded into the kit's anti-analysis module, plus integer-packed IP-range tables blocking Naver's own crawler ranges, Google, Microsoft, RIPE, Daum, Kakao, Trustwave, and AVAST — the actor's list of who they don't want reading their mail
• A Telegram-bot callback path via coder.udalyonka.com → tgbot.minecraft.pe → 150.241.80.3 (Aeza International, Stockholm) for real-time credential exfiltration alerts
• 200+ brand-impersonation subdomains across the udalyonka.com namespace — Bloomberg, GitHub, Coca-Cola, Western Union, Samsung Securities, Sennheiser, Carl Zeiss, Schaeffler, Walmart, Henkel subsidiaries, Korean NTS, Russian DOM.RF, many more — organised under an operator structure that writes ffsandusr{0,1,2,3} prefixes into subdomain names

What this report adds to the public record

The core methodology here — open-directory discovery of Kimsuky phishing kits — isn't new. Hunt.io has published prior work documenting Kimsuky open-directory tradecraft and Naver credential-harvesting infrastructure (March 2024, October 2024). And eight months ago, the researchers Saber and cyb0rg published the APT Down: The North Korea Files dump in Phrack #72 at DEF CON 33, mirrored on DDoSecrets — an 8.9 GB collection captured from a Kimsuky operator's workstation and VPS in June 2025, containing kit builder code, bash histories, stolen certificates, and the source of the SK Ministry of Foreign Affairs' "Kebi" email system.

What our dump adds on top of that body of prior work is three specific things:

1. A fresh infrastructure node — 158.247.250.37 on Vultr Seoul, different from any Kimsuky cluster Hunt.io has documented (their 2024 posts cover 158.247.238.155 and 158.247.230.196 in the same Vultr neighborhood, not this box)
2. Evidence that the Phrack leak did not burn the operator's deployment pipeline — this server has been running continuously since at least October 2020, kept running right through the August 2025 Phrack publication, and was still catching victims in February 2026. The op did not migrate, rebuild, or burn their SMTP pool after being publicly exposed.
3. The deployment side of the operation rather than the builder side. Phrack #72 captured the operator's dev environment — generator.php with a hardcoded admin cookie, config.php with IP blacklists, logs.php for reviewing phished results. Our htdocs.7z captures the deployed output of that pipeline: a PHProxy-based Naver credential harvester, a PHPMailer lure delivery system, and a per-victim credential log directory structure with a live Korean victim inside. Two sides of the same operation, captured eight months apart.

Hat tip to @skocherhan for the original post. The infrastructure was live on the public internet before their tweet and it's live as I'm writing this — they're the one who picked it out of the noise.

If you've already published reporting on udalyonka.com, the 158.247.250.37 cluster, the htdocs.7z archive (SHA256 below), or the ffsandusr{0..3} subdomain operator pattern, please reply or DM — we'll update and credit.

---

The Host — 158.247.250.37

Field	Value
Hostname	158-247-250-37.constant.com
ASN	AS20473 — The Constant Company, LLC (Vultr)
Hosting	Vultr VPS, Paripark, South Korea
OS	Windows (hostname leak: DESKTOP-USY2245 via RDP cert)
Web stack	Apache 2.4.58 (Win64) + OpenSSL 3.1.3 + PHP 8.0.30 (XAMPP)
Open ports	80 (Apache), 443 (Apache, self-signed CN=localhost), 3389 (RDP), 5357 (WSDAPI), 5985 (WinRM)
First seen	August 2025 (earliest access log entry on the server)
Still live	April 2026
Shodan tags	cloud, eol-product, self-signed, open-dir
VT detection	4/94 malicious (alphaMountain.ai: phishing; CRDF: malicious)

The Shodan tag open-dir is how this whole investigation started — it's the label that Shodan slaps on Apache hosts whose DirectoryIndex is off and whose root directory is world-readable. That configuration is the actor's first mistake.

The Open Directory

Index of /

htdocs.7z              2026-02-10 21:44    1.3M    ← FULL PHISHING KIT BACKUP
send2/                 2026-01-12 22:34      -     ← MASS MAILER (live)

The send2/ directory is a live PHPMailer deployment. The htdocs.7z file is a full backup of the kit, taken by the operator themselves on February 10, 2026 at 21:44 KST and left in the web root. The most likely reading is that the operator made a backup before reshuffling their deployment, dropped it in the web root as a convenience, and forgot to either remove it or move it outside the Apache document root. That's a single typo — htdocs.7z inside htdocs/ instead of one directory up — and it's the only mistake the operator needed to make to hand us the whole kit.

SHA256:  fbb36c3173a4b467fcc7fea566b3ddf7e72af8d5e45a8fd505ec21e61d160df9
MD5:     ac33ba08410f39cf13c9a08a01582bce
Size:    1,360,437 bytes
Contents: 269 files, 24 directories

Inside the Kit

Three parallel phishing kits

Directory	Purpose	Post-phish redirect
blog/	Naver Blog login phishing	https://blog.naver.com
nportal/	Naver Portal login phishing	https://invoice.naver.com
uinvoice/	Korean NTS (tax) lure	https://www.nts.go.kr/nts/ad/taxSchdul/selectList.do
index.php (root)	Redirect fallback	https://www.nts.go.kr (Korean National Tax Service)

Each of the three kit directories is structured identically:

File	Role
index.php	The PHP proxy engine with credential interception built in
recon.htm	"비밀번호 재확인 : 네이버 내정보" — Naver password re-confirmation page, pixel-perfect
nsec.php	The IP / ISP / browser / GeoIP filtering module ("Security Guard Code")
confirm.php	Victim system profiling — logs IP, ISP, country, User-Agent, COMPUTERNAME, NUMBER_OF_PROCESSORS

The proxy is modified Glype / PHProxy 0.5b2

The core index.php file in each kit directory is a modified Glype / PHProxy v0.5b2 reverse proxy. Glype is public open-source web-proxy software originally built in the mid-2000s for anonymization use cases. The modifications here turn it into a credential harvester:

1. Intercepts all HTTP requests and responses between the victim and the real Naver servers
2. Renders a pixel-perfect Naver "password re-confirmation" page on the first visit (recon.htm)
3. Captures entered credentials via form interception on the proxied HTML
4. Captures full session cookies — including Naver's NID_JST authentication token, which is what grants logged-in access without 2FA
5. Profiles the victim's IP, ISP, geography, User-Agent, device, and processor count
6. Writes everything to disk in a per-victim directory named after the victim's email
7. Redirects the victim to a legitimate Naver page after the credential capture completes, so the flow looks successful

The per-victim directory pattern is the reason the open-directory listing is so damaging: every phished account becomes its own subdirectory on the file system, and each one contains the harvested credentials. The operator left the door open on a server that had live victim logs on it.

The IP filter table — nsec.php

The anti-analysis module, which the operator's comments call "the Security Guard Code," does three things:

It blocks known security researcher IPs. 16 integer-packed range pairs covering analysis houses and scanner infrastructure.

It blocks Naver's own infrastructure. Naver's corporate crawlers would immediately flag a Glype-proxied Naver login page, so the kit explicitly blocks:

220.230.168.*  211.249.40.*  211.249.68.*
35.243.23.*    1.225.35.*    104.222.43.*

It also blocks by ISP/ASN name-match: Google, RIPE, Naver, Daum, Kakao, Microsoft, Trustwave, AVAST, net4sec, ColoUp.

It enforces minimum browser versions. Chrome must be ≥ 85 (some paths require ≥ 97), Firefox ≥ 80. It blocks the user agents bot, python, carbon, github, HeadlessChrome, Google crawler UAs, and naver.me.

When any of those filters fire, the visitor gets redirected to a benign Naver blog page (https://section.blog.naver.com/ThisMonthDirectory.naver) and the block event is logged to Test_Log.txt. The effect is that casual passive scanners and security researchers running in well-known IP space or with automation user agents simply see a legit Naver link and move on; only victims hitting the kit from real South Korean residential IPs with real mobile or desktop browsers get served the credential-capture flow.

Hardcoded API key in the filter:

extreme-ip-lookup.com API key: nOaZbY9mHVAfAZ8yeAcC
Fallback: ip-api.com

That API key is an OPSEC artifact in its own right — it's attached to whatever account the operator set up on extreme-ip-lookup.com, and it's now publicly burned.

The mass mailers — send_new/ and send2/

Two PHPMailer deployments, one for each SMTP provider ecosystem. send_new/ is the older Mail.ru / Rambler.ru deployment and hardcodes SMTP passwords directly in the source. send2/ is newer, accepts credentials via POST parameters at runtime, and operates against Zohomail and Inbox.lv. Between them, 17 compromised SMTP accounts are baked into the kit:

send_new/ — Russian ecosystem (hardcoded, live at time of dump)

Email	Provider
mail-linker@mail.ru	Mail.ru
mail-con@mail.ru	Mail.ru
notice-mail@list.ru	List.ru
notice-mail@inbox.ru	Inbox.ru
mailconnector@inbox.ru	Inbox.ru
mailsender2024@mail.ru	Mail.ru
mail-linker@list.ru	List.ru
contact-linker@mail.ru	Mail.ru
contact-linker@inbox.ru	Inbox.ru
info-sender@inbox.ru	Inbox.ru
mailbox-service@list.ru	List.ru
maildeliver@bk.ru	Bk.ru
mail-linker@rambler.ru	Rambler.ru
help_master24@internet.ru	Internet.ru (commented out but present)

SMTP server: smtp.mail.ru:465 (SSL).

send2/ — Zohomail + Inbox.lv

Email	Provider
businessking1@zohomail.com	Zohomail
logansmith1@zohomail.com	Zohomail
linksend5@zohomail.com	Zohomail
linkzepto5@zohomail.com	Zohomail
zeptolink3@zohomail.com	Zohomail

SMTP server: mail.inbox.lv:465 (SSL).

The lure template uses placeholder tokens that get substituted per recipient:

Token	Becomes
aaaaaaaaaa	recipient email
bbbbbbbbbb	hex-encoded base64 of the recipient email (used in URL tracking)
cccccccccc	masked email (first 4 chars + ****)
dddddddddd	current date/time
ffffffffff	email local part (before @)

The Confirmed Victim

Inside the archive, the per-victim directory structure revealed at least one confirmed compromise:

Field	Value
Email	ain8494@naver.com
Phishing URL	http://chk.uncork.biz/nportal/?wreply=ain8494@naver.com&m=qhfsmnav&nhn=1
Victim IP	175.115.14.22
ISP	SK Broadband Co Ltd
Country	South Korea
Date / time	2026-02-10, 14:15 KST
Device	Android 10, Chrome 144 Mobile
Language headers	ko-KR (with zh-TW, zh-CN, lv residuals)

The proxy intercepted this user attempting to access nid.naver.com/user2/help/myInfo.nhn?m=viewChangePasswd — the Naver "change password" page — via the phishing URL. The kit captured their password and their full authenticated session cookies (including NID_JST). A captured session cookie that includes NID_JST grants account access without 2FA, so from Kimsuky's side the victim can be taken over silently and without tripping the "new device" 2FA prompt on Naver's end.

We've notified KrCERT/CC / KISA through the disclosure channel included below. The victim needs to reset their Naver password and revoke all active sessions on their account.

The Broader Namespace — udalyonka.com + 200 Subdomains

udalyonka.com itself has been around since October 19, 2020, registered through Danesco Trading Ltd (Cyprus) with afraid.org (FreeDNS) nameservers and whoisprotectservice.net privacy on WHOIS — three signals that match previously documented Kimsuky domain registration patterns. The domain cycled through Russian REG.RU hosting from 2019 to 2022, moved to SoftLayer / IBM Cloud, briefly touched AWS Global Accelerator, and landed on Vultr Seoul.

Certificate Transparency on the domain reveals 200+ subdomains structured under a consistent operator-prefix pattern:

Prefix	Subdomain count	Example brand impersonations
ffsandusr0	30+	Bloomberg, GitHub, Sennheiser, Coca-Cola, Western Union
ffsandusr1	15+	Carl Zeiss, Walmart, Schaeffler, Samsung Securities
ffsandusr2	10+	Ryanair, Adventist Jobs, Sennheiser Online Store
ffsandusr3	5+	Sennheiser, Wacom, Eastern Honeys

The ffsandusr{0,1,2,3} prefix structure suggests multiple operators or campaign phases working out of the same top-level domain — operator 0 hits the Bloomberg / Coca-Cola / financial set, operator 1 handles industrial (Schaeffler / Carl Zeiss), operator 2 gets the consumer brands, and so on. If that reading is correct, it's a glimpse of how Kimsuky distributes phishing targets across team members.

Brand impersonation categories

• Financial: Bloomberg · Bloomberg MTF · Western Union · Western Union Holdings · Samsung Securities · Banco de Galicia · Banchile Inversiones · Mcan Financial · One Gold
• Technology: GitHub · Renesas · Renesas Synergy · Tietoevry · Tietoevry Industry · Ciklum · Luxoft · Deep Spring
• Consumer: Coca-Cola · Coca-Cola Zero · Vitamin Water Zero · Sennheiser (8+ variants) · Carl Zeiss · Wacom (3+ variants)
• Industrial: Schaeffler · Daramic · Henkel (Schwarzkopf, Pattex, Metylan, Loctite, Thomsit) · Veolia · Eurocontrol
• Healthcare: Ivoclar Vivadent · Ivoclar Group · Exelixis · Cabmetyx · Southern Cross (Health, Pets)
• Government / Org: Adventist Church · Korean NTS · JSC DOM.RF (Russian state housing corporation)
• Retail: Marktkauf · Netto Online · SystemBolaget (Swedish liquor monopoly) · Walmart

The presence of Russian DOM.RF and the Swedish SystemBolaget alongside Korean NTS and financial / consumer / industrial targets is consistent with Kimsuky's documented breadth — the actor doesn't confine itself to Korean targets alone, and infrastructure built for Korean credential phishing gets repurposed for broader brand-impersonation campaigns.

The Telegram bot exfil path

Passive DNS on coder.udalyonka.com resolves to 150.241.80.3 — an Aeza International (Stockholm) VPS that also presents a TLS certificate for tgbot.minecraft.pe. That's a Telegram bot endpoint. The most likely function is real-time credential exfiltration alerts: when the kit captures a new victim, the server pings the Telegram bot, which forwards the alert to the operator's Telegram. That's a live channel that should be notified to Telegram abuse.

Related infrastructure at chk.uncork.biz

The confirmed victim's phishing URL was http://chk.uncork.biz/nportal/?wreply=ain8494@naver.com&m=qhfsmnav&nhn=1. chk.uncork.biz resolves to 27.102.138.45 — DAOU TECHNOLOGY (Seoul, VT 10/94 malicious) — a second phishing proxy node with at least 20+ additional phishing subdomains in its namespace targeting Naver, Korean NHIS (health insurance), Korean tax, and various account-themed lures (accountverification, globalpayment, deliverymailsvc, linkyoursecurity, usrdeleteservice, etc.).

The Phrack Comparison

Phrack #72's APT Down: The North Korea Files captured the upstream side of an operation similar to this one — the operator's dev VM and VPS, containing the kit builder code. Specifically, the Phrack article describes a toolkit built around:

Phrack #72 file	Role
config.php	IP blacklists for anti-detection
generator.php	Remote admin for managing phishing attacks; hardcoded access cookie HnoplYTfPX=x
logs.php	Phishing results retrieval

Plus phishing domain clusters like nid-security.com, nid.navermails.com, websecuritynotices.com, and sponetcloud.com.

Our htdocs.7z captures the downstream side — the actual deployed kit that victims see. The file structure is different: our three kit directories are built around a modified Glype / PHProxy v0.5b2 reverse proxy, not around a generator.php framework. The domain cluster is different (udalyonka.com / uncork.biz vs the Phrack domains). And the deployment targets are Naver Blog, Naver Portal, and Korean NTS rather than the Phrack article's broader set.

What does overlap between the two sides:

1. Both target Naver credential harvesting as a first-order objective
2. Both IP-filter defensively against security vendors + Naver's own crawler ranges
3. Both use Russian mail ecosystems for lure delivery (mail.ru / inbox.ru and family)
4. Both use dynamic DNS providers (FreeDNS / afraid.org nameservers appear in our cluster; the Phrack corpus also references afraid.org in the broader dump)
5. Both operate continuously through the Phrack publication window — our cluster's passive DNS history goes back to 2019, predates the Phrack operator's captured environment (June 2025), survived the DEF CON publication (August 2025), and is still active as of this post

We are not claiming code lineage between our kit and the Phrack corpus. The file structures don't match and we didn't do a cryptographic diff. What we are saying is: the Saber / cyb0rg leak demonstrated what one Kimsuky operator's workbench looked like in June 2025, and eight months later a different node on different infrastructure is still running the same family of tradecraft — open directories, PHP-based credential proxies, IP-filter anti-analysis, Russian-ecosystem SMTP pools, Korean dynamic DNS providers, and brand-impersonation subdomain farms.

The Phrack leak did not burn the operation. It burned one workstation.

Attribution — Kimsuky / APT43, High Confidence

The indicator stack matches previously published Kimsuky / APT43 tradecraft documented by Mandiant, AhnLab, KISA, and the Phrack #72 write-up:

Indicator	Kimsuky match
Exclusive South Korean target set (Naver + NTS)	✅ Primary victimology
Korean-language phishing pages (KISA logo assets, Naver-specific HTML)	✅
PHP reverse-proxy credential interception (not static phishing pages)	✅ Documented TTP
IP and ISP filtering specifically blocking Naver / KISA / security vendors	✅ Documented evasion
afraid.org nameservers + Danesco Trading registrar + WHOIS privacy	✅ Repeat registration pattern
Russian REG.RU origin hosting (2019–2022)	✅ DPRK–Russia operational alignment
XAMPP-on-Windows phishing host	✅ Documented preference
Per-victim directory credential logs with session cookie capture	✅ Documented operational pattern
Tax / invoice / Naver account-verification lure themes	✅ Matches KrCERT/CC prior reporting
Broad brand-impersonation subdomain farm (200+)	✅ Matches prior Hunt.io reporting on sister infrastructure

Timeline

Date	Event
2019-12	First VT passive DNS entry for udalyonka.com (194.58.112.174, REG.RU Moscow)
2020-10-19	udalyonka.com registered via Danesco Trading
2020–2022	Hosting on REG.RU infrastructure (Moscow)
2022–2024	Migration to SoftLayer / IBM Cloud (169.47.130.x cluster)
2025-08	Phrack #72 / APT Down published at DEF CON 33
2025-11	Brief hosting on AWS Global Accelerator
2026-01-12	/send2/ directory created on 158.247.250.37
2026-02-10	htdocs.7z backup created on 158.247.250.37; confirmed Korean victim credentials captured
2026-04-05 / 2026-04-06	New subdomains (tesdafrique, coder, sub.coder) with fresh certificates
2026-04-08	@skocherhan publishes the IOC
2026-04-09	GHOST investigation, kit dump, this post

Detection, Hunting, Disclosure

Blocks

• Block all of 158.247.250.37, 158.247.240.40, 27.102.138.45, 190.92.173.54, 150.241.80.3, and 169.47.130.72 at the perimeter.
• DNS sinkhole udalyonka.com, uncork.biz, userclaimload.kro.kr, usermemberblg.freeddns.org, lnkblogaddress.mydns.bz, and the 200+ subdomains listed at the end of this post. In practice the cleanest move is to sinkhole *.udalyonka.com and *.uncork.biz at the wildcard level.
• Block at the email gateway all 17 of the SMTP sender accounts listed above, plus mail from smtp.mail.ru:465 and mail.inbox.lv:465 as additional pivot-ready filters.

Hunts

• URL parameter signatures — flag any inbound URLs containing ?wreply=, ?m=qhfsmnav, or ?nhn=1. Those are kit-specific phishing URL parameters.
• Naver credential submission to non-Naver hosts — if your proxy logs see login form POSTs to any domain other than *.naver.com, that's worth investigating.
• Outbound SMTP to smtp.mail.ru:465 from corporate networks — highly anomalous for most enterprises, should be flagged regardless.
• Dynamic-DNS parent hunt — alert on resolutions to any of *.kro.kr, *.freeddns.org, *.mydns.bz, *.dynv6.net, *.cloud-ip.cc from managed endpoints where business-justification is absent.
• afraid.org nameserver resolutions from corporate hosts — rare for legitimate business traffic.

Victim notification

• Users who accessed Naver through any link containing udalyonka.com or uncork.biz should reset their Naver password immediately and revoke all active sessions via nid.naver.com. The kit captures NID_JST session cookies, so simple password rotation is not enough — active sessions must be killed.
• The confirmed victim ain8494@naver.com has been surfaced to KrCERT/CC via our disclosure channel.

Disclosure

• KrCERT/CC / KISA — primary notification
• Naver — credential phishing campaign targeting their platform
• Vultr — abuse notification for 158.247.250.37
• Mail.ru / List.ru / Inbox.ru / Bk.ru / Rambler.ru — the 14 compromised accounts in the Russian ecosystem
• Zoho — the 5 Zohomail accounts
• Inbox.lv — SMTP relay point
• Telegram abuse — the tgbot.minecraft.pe bot callback at 150.241.80.3
• extreme-ip-lookup.com — API key burn / account termination

MITRE ATT&CK

T1566.002 · T1598.003 · T1056.003 · T1539 · T1078 · T1082 · T1070.006 · T1102.002 · T1583.001 · T1583.003 · T1585.002 · T1608.005 · T1036.005 · T1497 · T1071.001 · T1567

IOCs (condensed)

Infrastructure

158.247.250.37                    Primary phishing server (Vultr KR)
158.247.240.40                    Related (same /16, blog phishing)
27.102.138.45                     Phishing proxy (DAOU TECH, KR)
190.92.173.54                     uncork.biz (WHG Hosting, US, IIS+MailEnable)
169.47.130.72                     udalyonka.com historical (IBM Cloud)
150.241.80.3                      Telegram bot / exfil (Aeza SE)
194.58.112.174                    Historical REG.RU (2019-12)

Domains (selected)

udalyonka.com
verify.udalyonka.com
coder.udalyonka.com
tgbot.minecraft.pe
uncork.biz
chk.uncork.biz
invoice.uncork.biz
temporain.uncork.biz
ownn.uncork.biz
satpracticer.uncork.biz
nothingcrazy.uncork.biz
19809080.uncork.biz
www.one.userclaimload.kro.kr
usermemberblg.freeddns.org
k.usermemberblg.freeddns.org
block.usermemberblg.freeddns.org
lnkblogaddress.mydns.bz
nfo.memberblogaccess.mydns.bz
edoc.lnkblogaddress.mydns.bz
usrblinkblog.mydns.bz
eblogapp.kro.kr
binfo.eblogapp.kro.kr

File hash

htdocs.7z
SHA256  fbb36c3173a4b467fcc7fea566b3ddf7e72af8d5e45a8fd505ec21e61d160df9
MD5     ac33ba08410f39cf13c9a08a01582bce
Size    1,360,437 bytes (269 files, 24 directories)

Compromised SMTP accounts (for mail provider abuse notification)

mail-linker@mail.ru              mail-con@mail.ru
notice-mail@list.ru              notice-mail@inbox.ru
mailconnector@inbox.ru           mailsender2024@mail.ru
mail-linker@list.ru              contact-linker@mail.ru
contact-linker@inbox.ru          info-sender@inbox.ru
mailbox-service@list.ru          maildeliver@bk.ru
mail-linker@rambler.ru           help_master24@internet.ru
businessking1@zohomail.com       logansmith1@zohomail.com
linksend5@zohomail.com           linkzepto5@zohomail.com
zeptolink3@zohomail.com

Third-party API key to burn

extreme-ip-lookup.com    nOaZbY9mHVAfAZ8yeAcC

Confirmed victim (redacted identifier for defender contact only)

Email    ain8494@naver.com
IP       175.115.14.22 (SK Broadband)
Time     2026-02-10 14:15 KST
Device   Android 10 / Chrome 144 Mobile

Prior art — credit where it's due

• @skocherhan — original udalyonka.com / 158.247.250.37 IOC post, April 8, 2026
• Hunt.io — Open Directory Exposes Phishing Campaign Targeting Google & Naver Credentials — March 2024, prior Kimsuky open-directory work on sister infrastructure
• Hunt.io — Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster — October 2024, additional Kimsuky / Naver cluster mapping
• Phrack #72 — APT Down: The North Korea Files (Saber and cyb0rg, published DEF CON 33 / August 2025)
• DDoSecrets mirror — APT Down: The North Korea Files
• CISA AA20-301A and ongoing Mandiant / AhnLab / KISA reporting on APT43 / Kimsuky

If we missed a prior publication on this cluster — particularly anything covering udalyonka.com, the ffsandusr operator pattern, or the specific Vultr Seoul node — please reply or DM and we'll update and credit.

---

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."