Kimsuky: DNS Intel Gathering
Kimsuky, an advanced persistent threat (APT) group believed to be active since 2013, recently launched another campaign. Instead of their usual tactic of using malware-laden Hangul Word Processor (HWP) or Microsoft Word spear-phishing email attachments, they shifted to weaponizing compressed files or embedding malicious links instead.1
Using a list of 13 indicators of compromise (IoCs) published by AhnLab security researchers as jump-off points, we managed to find 702 connected artifacts through an expansion analysis aided by exhaustive DNS intelligence.
Our deep dive led to the discovery of:
- 336 email-connected domains
- Five IP addresses to which the domains identified as IoCs resolved, two of which were associated with various threats
- Five IP-connected domains, where IP addresses were dedicated
- 356 domains that contained text strings found among the domains identified as IoCs
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://asec.ahnlab.com/en/59590/