Campaigns
Red Children of Censorship

Red Children of Censorship

apt37kimsuky
North Korean state-sponsored cyber espionage groups. Focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 group expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.

Indicators of Compromise

upload.mydrives.ml
help.mappo-on.life
torbrowser.io
sztianhao.en.china.cn
tor-browser.io
eve.uedmei.com
eventosatitlan.com
helper.canvas-life.me
www.eventosatitlan.com
pelebra.atwebpages.com
help.octo-manage.net
csv.posadadesantiago.com
array.prototype.slice.call
myaccounts.posadadesantiago.com
view-hanmail.net
nid.naver.corper.be
com-accountprotect.work
msdatl3.inc
resetprofile.com
usernaver.com
member-authorize.com
account-protect.work
servicenidnaver.com
login.daum.net-accounts.info
nid.naver.onektx.com
www.ne-ba.org
help.unikoreas.kr
www.group.email.tlsmain.work
intranet.ohchr.tlsmain.work
com-active.work
read.tongilmoney.com
login.yahoo.com-service.org-view.work
exiweng.work
kinac.work
demand.poulsen.work
www.anca-aste.it
desk-top.work
naver.com.pl
naver.com.se
active.onedrive.tlsmain.work
sslserver.work
msolui80.inc
mail.doc-view.pw
login.daum.kcrct.ml
naver.unibok.kr
check-onedrive.org-vps.work
org-vps.work
yahoo-info.work
check-onedrive.robezo.work
login.un.org-view.work
naver.com.mx
resultview.com
read-naver.com
sts.desk-top.work
myetherwallet.co.in
com-download.work
nidnaver.email
help-navers.com
naver.co.in
view-naver.com
nidnaver.net
1drv.ms.account-protect.work
login.gordonchang.org-view.work
statement.poulsen.work
onedrive.sslport.work
login.bignaver.com
login.daum.unikortv.com
account.daum.unikftc.kr
owa.com-download.work
member.daum.uniex.kr
daum.net.pl
intranet.ohchr.org-view.work
riaver.site
amberalexander.ghtdev.com
ohchr.org-view.work
idiolos.work
login.microsoftonline.org-view.work
login-yahoo.org-view.work
impression.poulsen.work
groups.email.account-protect.work
rtyuio.work
com-sslnet.work
com-ssl.work
www.astedams.it
ssltop.work
ww-naver.com
intemet.work
logins.daum.net-sec.pw
naohisashibuya.sslport.work
org-view.work
www.active.onedrive.tlsmain.work
login.yahoo.co.jp-sec.pw
daurn.org
spmode.smt.docomo.account-protect.work
login.yahoo.co.jp.org-view.work
wave.posadadesantiago.com
member.daum.unikortv.com
cooper.center
click.onedrive.account-protect.work
1drv.ms.doc-view.pw
webuserinfo.com
jonga.ml
mail.org-vip.work
naver.com.cm
naverdns.co
marryyouinme.sslport.work
ns.onekorea.me
nytimes.onekma.com
com-auth.work
mail.unifsc.com
pro-navor.com
robezo.work
doc-view.account-protect.work
account-viewer.work
offerhubs.org-view.work
registry.ohchr.tlsmain.work
hogy.desk-top.work
comment.poulsen.work
org-view.pw
naver.koreagov.com
login.yahoo.account-protect.work
com-vps.work
org-vip.work
desk.poulsen.work
cloudmail.cloud
spurgentaction.in.ohchr.org-view.work
amaniafrica-et.org-view.work
com-option.work
csnaver.com
mail.rfanews.sslport.work
naver.cx
unrepong.work
dorey.work
naver.pw
myetherwallet.com.mx
smtper.cz
helpnaver.com
account.daum.unikortv.com
net.tm.ro
mailsnaver.com
nid.naver.unicrefia.com
coinone.co.in
read-hanmail.net
webmail.org-view.work
tiosuaking.com
account.live.poulsen.work
default.tokyo
naver.onegov.com
www.registry.ohchr.tlsmain.work
downloadman06.com
dutaley.work
login.outlook.kcrct.ml
jp-ssl.work
nid.naver.unibok.kr
myaccount.nkaac.net
sankei.sslport.work
taplist.work
nidlogin.naver.corper.be
loadmanager07.com
kooo.gq
vpstop.work
intranet.ohchr.account-protect.work
top.naver.onekda.com
preview.manage.org-view.work
account.live.account-protect.work
nid.naver.com.se
dubai-1.com
www.intranet.ohchr.tlsmain.work
intranet.ohchr.org-view.pw
spmode.smt.docomo.ne.jp-ssl.work
beyondparallel.sslport.work
login.aei.org-view.work
myaccounts.gmail.kr-infos.com
verdall.xyz
drive.cloud.com-download.work
eastsea.or.kr
login.account-protect.work
delegate.un.account-protect.work
securetymail.com
webmain.work
poulsen.work
gloole.net
naver.com.ec
doc-view.docomo.ne.org-view.work
smtper.org
daum.unikortv.com
cloudnaver.com
myaccount.account-protect.work
vilene.desk-top.work
navernnail.com
xre.popmonster.ru
support.net
goooglesecurity.com
denialallowance.com
main.dailynk.us
kdr.zarkada.ru
9356.popmonster.ru
dailynk.us
principal.dailynk.us
b.popmonster.ru
sophossecurityi.com
moneybac.ru
kamikirim.my.id
www.ftpupload.net
www.atomicmatryoshka.com
www.ciphertechsolutions.com
installcb.online
ksbyz.jelikob.ru
ve0.popmonster.ru
haeundaejugong.com
sherence.ru
6b4s.popmonster.ru
ftpupload.net

APT Groups2

APT37Korea, Democratic People's Republic of
Moldy PiscesRuby SleetTEMP.ReaperReaperRed EyesCrooked PiscesGroup 123Ricochet ChollimaAPT 37ITG10Opal SleetInkySquidScarCruftATK 4Geumseong121CeriumOsmiumHermitVenus 121
Kimsuky

<b>Description of MISP:</b> This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.<br><br><b>Description of Mitre:</b> Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2]<br><br><b>Description of Etda:</b> (Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.<br><br>

Black BansheeVelvet ChollimaKimsukyITG16APT 43TA427TA406ARCHIPELAGOEmerald SleetThalliumSharpTongueKTA082

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Observed Countries8

CN (529)
IN (728)
JP (14)
KR (887)
KW (480)
RO (356)
RU (698)
VN (918)