Kimsuky: DNS Intel Gathering | WhoisXML API

Threat Reports

Kimsuky: DNS Intel Gathering

Kimsuky, an advanced persistent threat (APT) group believed to be active since 2013, recently launched another campaign. Instead of their usual tactic of using malware-laden Hangul Word Processor (HWP) or Microsoft Word spear-phishing email attachments, they shifted to weaponizing compressed files or embedding malicious links instead.1

Using a list of 13 indicators of compromise (IoCs) published by AhnLab security researchers as jump-off points, we managed to find 702 connected artifacts through an expansion analysis aided by exhaustive DNS intelligence.

Our deep dive led to the discovery of:

  • 336 email-connected domains
  • Five IP addresses to which the domains identified as IoCs resolved, two of which were associated with various threats
  • Five IP-connected domains, where IP addresses were dedicated
  • 356 domains that contained text strings found among the domains identified as IoCs

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1]
Try our WhoisXML API for free
Get started