A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail
This analysis documents a third Vultr Seoul VPS (158.247.210.58) associated with Kimsuky operations, featuring over 60 domains across an 18-month period of systematic credential harvesting infrastructure. The actor demonstrates deliberate rotation through seven DDNS providers to evade blocklisting while maintaining the same backend VPS since at least September 2020. The domains systematically impersonate Naver, Korean National Tax Service (HomeTax), and government portals using prefixes like nid-user, n-store, nts-auth, and htax-login. Currently, 31 domains actively resolve while web ports remain closed, indicating a parked and ready operational posture. The infrastructure sits in AS20473 alongside two previously documented Vultr Seoul boxes, demonstrating the actor's clear preference for this provider and geographic proximity to South Korean targets.
AI Analysis
Technical Summary
The documented campaign reveals a third Vultr Seoul VPS (IP 158.247.210.58) linked to Kimsuky operations, featuring a long-term credential harvesting infrastructure spanning over 60 domains and 18 months. The adversary employs systematic rotation across seven DDNS providers to avoid detection and blocklisting while retaining the same backend VPS since at least September 2020. The domains impersonate key South Korean services, including Naver and the Korean National Tax Service, using domain prefixes that suggest phishing or credential harvesting intent. Currently, 31 domains actively resolve but have closed web ports, indicating a parked infrastructure poised for potential activation. This VPS is located in AS20473 alongside two previously identified Vultr Seoul boxes used by Kimsuky, highlighting the actor's operational preference for this hosting environment and proximity to South Korean targets. No known exploits or vulnerabilities are associated with this infrastructure, and it represents a threat campaign rather than a software vulnerability.
Potential Impact
The campaign facilitates credential harvesting through impersonation of trusted South Korean services, potentially leading to compromised user credentials and unauthorized access. The use of multiple DDNS providers and long-term infrastructure increases the difficulty of detection and takedown. While no active exploitation or direct vulnerabilities are reported, the infrastructure supports ongoing phishing and espionage activities targeting South Korean entities.
Mitigation Recommendations
No patch or official fix applies as this is a threat actor infrastructure campaign rather than a software vulnerability. Mitigation should focus on monitoring and blocking the identified domains and associated IPs, enhancing phishing detection capabilities, and educating users about these specific impersonation tactics. Network defenders should consider blacklisting the known domains and DDNS providers used by this actor. Since the infrastructure is parked with closed web ports, continuous monitoring for activation is recommended. There is no vendor advisory or patch available for this threat.
Indicators of Compromise
- domain: ips-govkr.mydns.bz
- domain: n-cloud.htax-store.dns.navy
- domain: nid-user.nts-auth.dns.army
- domain: mdlog.mydns.vc
- domain: johnnytogdstudio.xyz
- domain: govkr-auth.mydns.bz
- domain: govkr-nid.tax-auth.dns.army
- domain: govkr-tax.nid-auth.kro.kr
- domain: htax-login.mydns.vc
- domain: htax-login.n-cloud.kro.kr
- domain: htax-login.nts-kr.dns.army
- domain: htax-nid.mydns.vc
- domain: htax-nid.n-user.dns.navy
- domain: htax-user.govkr.kro.kr
- domain: n-auth.mydns.bz
- domain: n-auth.nts-login.dns.navy
- domain: n-cloud.mydns.bz
- domain: n-cloud.nid-tax.kro.kr
- domain: n-corp.htax-auth.dns.navy
- domain: n-corp.mydns.bz
- domain: n-login.htax-nid.dns.navy
- domain: n-store.mydns.vc
- domain: n-store.nts-user.kro.kr
- domain: n-store.tax-nid.dns.navy
- domain: n-user.htax-auth.kro.kr
- domain: n-user.ips-gov.dns.army
- domain: nid-auth.n-cloud.dns.navy
- domain: nid-gov.tax-store.kro.kr
- domain: nid-login.mydns.vc
- domain: nid-login.nts-gov.dns.army
- domain: nid-nts.n-store.kro.kr
- domain: nid-store.govkr.dns.army
- domain: nid-store.mydns.bz
- domain: nid-user.mydns.bz
- domain: nts-auth.mydns.vc
- domain: nts-login.mydns.vc
- domain: nts-login.n-auth.kro.kr
- domain: nts-nid.n-login.kro.kr
- domain: nts-store.n-login.dns.navy
- domain: nuser-login.govkr.dns.army
- domain: nuser-login.mydns.bz
- domain: tax-login.mydns.vc
- domain: tax-login.n-corp.kro.kr
- domain: tax-nid.mydns.bz
- domain: tax-user.nid-gov.dns.army
A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail
Description
This analysis documents a third Vultr Seoul VPS (158.247.210.58) associated with Kimsuky operations, featuring over 60 domains across an 18-month period of systematic credential harvesting infrastructure. The actor demonstrates deliberate rotation through seven DDNS providers to evade blocklisting while maintaining the same backend VPS since at least September 2020. The domains systematically impersonate Naver, Korean National Tax Service (HomeTax), and government portals using prefixes like nid-user, n-store, nts-auth, and htax-login. Currently, 31 domains actively resolve while web ports remain closed, indicating a parked and ready operational posture. The infrastructure sits in AS20473 alongside two previously documented Vultr Seoul boxes, demonstrating the actor's clear preference for this provider and geographic proximity to South Korean targets.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The documented campaign reveals a third Vultr Seoul VPS (IP 158.247.210.58) linked to Kimsuky operations, featuring a long-term credential harvesting infrastructure spanning over 60 domains and 18 months. The adversary employs systematic rotation across seven DDNS providers to avoid detection and blocklisting while retaining the same backend VPS since at least September 2020. The domains impersonate key South Korean services, including Naver and the Korean National Tax Service, using domain prefixes that suggest phishing or credential harvesting intent. Currently, 31 domains actively resolve but have closed web ports, indicating a parked infrastructure poised for potential activation. This VPS is located in AS20473 alongside two previously identified Vultr Seoul boxes used by Kimsuky, highlighting the actor's operational preference for this hosting environment and proximity to South Korean targets. No known exploits or vulnerabilities are associated with this infrastructure, and it represents a threat campaign rather than a software vulnerability.
Potential Impact
The campaign facilitates credential harvesting through impersonation of trusted South Korean services, potentially leading to compromised user credentials and unauthorized access. The use of multiple DDNS providers and long-term infrastructure increases the difficulty of detection and takedown. While no active exploitation or direct vulnerabilities are reported, the infrastructure supports ongoing phishing and espionage activities targeting South Korean entities.
Mitigation Recommendations
No patch or official fix applies as this is a threat actor infrastructure campaign rather than a software vulnerability. Mitigation should focus on monitoring and blocking the identified domains and associated IPs, enhancing phishing detection capabilities, and educating users about these specific impersonation tactics. Network defenders should consider blacklisting the known domains and DDNS providers used by this actor. Since the infrastructure is parked with closed web ports, continuous monitoring for activation is recommended. There is no vendor advisory or patch available for this threat.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://intel.breakglass.tech/post/kimsuky-third-vultr-seoul-60-domains-ddns-rotation-naver-nts"]
- Adversary
- Kimsuky
- Pulse Id
- 69f06a838f5dae965dd8cbfd
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainips-govkr.mydns.bz | — | |
domainn-cloud.htax-store.dns.navy | — | |
domainnid-user.nts-auth.dns.army | — | |
domainmdlog.mydns.vc | — | |
domainjohnnytogdstudio.xyz | — | |
domaingovkr-auth.mydns.bz | — | |
domaingovkr-nid.tax-auth.dns.army | — | |
domaingovkr-tax.nid-auth.kro.kr | — | |
domainhtax-login.mydns.vc | — | |
domainhtax-login.n-cloud.kro.kr | — | |
domainhtax-login.nts-kr.dns.army | — | |
domainhtax-nid.mydns.vc | — | |
domainhtax-nid.n-user.dns.navy | — | |
domainhtax-user.govkr.kro.kr | — | |
domainn-auth.mydns.bz | — | |
domainn-auth.nts-login.dns.navy | — | |
domainn-cloud.mydns.bz | — | |
domainn-cloud.nid-tax.kro.kr | — | |
domainn-corp.htax-auth.dns.navy | — | |
domainn-corp.mydns.bz | — | |
domainn-login.htax-nid.dns.navy | — | |
domainn-store.mydns.vc | — | |
domainn-store.nts-user.kro.kr | — | |
domainn-store.tax-nid.dns.navy | — | |
domainn-user.htax-auth.kro.kr | — | |
domainn-user.ips-gov.dns.army | — | |
domainnid-auth.n-cloud.dns.navy | — | |
domainnid-gov.tax-store.kro.kr | — | |
domainnid-login.mydns.vc | — | |
domainnid-login.nts-gov.dns.army | — | |
domainnid-nts.n-store.kro.kr | — | |
domainnid-store.govkr.dns.army | — | |
domainnid-store.mydns.bz | — | |
domainnid-user.mydns.bz | — | |
domainnts-auth.mydns.vc | — | |
domainnts-login.mydns.vc | — | |
domainnts-login.n-auth.kro.kr | — | |
domainnts-nid.n-login.kro.kr | — | |
domainnts-store.n-login.dns.navy | — | |
domainnuser-login.govkr.dns.army | — | |
domainnuser-login.mydns.bz | — | |
domaintax-login.mydns.vc | — | |
domaintax-login.n-corp.kro.kr | — | |
domaintax-nid.mydns.bz | — | |
domaintax-user.nid-gov.dns.army | — |
Threat ID: 69f0c280cbff5d86101cb678
Added to database: 4/28/2026, 2:21:52 PM
Last enriched: 4/28/2026, 2:37:38 PM
Last updated: 4/29/2026, 5:49:55 AM
Views: 25
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.