{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/apt_kimsuky/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["APT_Kimsuky"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["github.com"],"_cs_severities":["medium"],"_cs_tags":["maltrail","ioc","threat-intelligence"],"_cs_type":"threat","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief summarizes the indicators of compromise (IOCs) published in the Maltrail feed on 2026-05-15. The IOCs are associated with multiple campaigns including APT_Kimsuky, CyberstrikeAI, Android_Joker, Sectoprat, EK_Landupdate808, and MagentoCore. The feed contains network-based IOCs such as domains and IP addresses. These indicators can be used to detect and block malicious network traffic related to these campaigns. The varied nature of the associated campaigns suggests a wide range of potential threats, from mobile malware to e-commerce platform attacks, necessitating a broad monitoring approach. The update highlights the continuous need for up-to-date threat intelligence for effective network security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis Maltrail feed provides indicators for multiple different campaigns, and so a single attack chain is not possible to construct. However, based on the names of the malware families, we can assume some possible attack chains:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eMagentoCore (Possible Attack Chain)\u003c/strong\u003e\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Magento e-commerce platform with vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into the Magento store, potentially through a compromised plugin or theme.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code loads from one of the listed domains (e.g., \u003ccode\u003e5q.reports-cdn.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe script captures sensitive customer data such as credit card information and login credentials.\u003c/li\u003e\n\u003cli\u003eThe stolen data is exfiltrated to the attacker\u0026rsquo;s server via the compromised domain infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen data for financial fraud or identity theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003e\u003cstrong\u003eAndroid_Joker (Possible Attack Chain)\u003c/strong\u003e\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker develops a malicious Android application and publishes it on a third-party app store.\u003c/li\u003e\n\u003cli\u003eThe user downloads and installs the malicious Android application (disguised as a legitimate app).\u003c/li\u003e\n\u003cli\u003eThe malicious application requests intrusive permissions like SMS access and contact list access.\u003c/li\u003e\n\u003cli\u003eThe application communicates with a command-and-control server like \u003ccode\u003emixcar.store\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware subscribes the user to premium SMS services without their knowledge.\u003c/li\u003e\n\u003cli\u003eThe attacker profits from the fraudulent subscriptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of these IOCs depends on the specific campaign they are associated with. For example, MagentoCore attacks can lead to financial losses and reputational damage for e-commerce businesses, as well as identity theft for customers. Android_Joker malware can result in financial fraud and privacy breaches for mobile users. APT_Kimsuky campaigns typically target political and strategic intelligence, causing damage to national security and international relations. The number of potential victims is difficult to determine, but given the widespread use of Magento and Android devices, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the listed domains in your DNS resolver and web proxy to prevent communication with known malicious infrastructure, using the IOCs provided (domains).\u003c/li\u003e\n\u003cli\u003eBlock the listed IP addresses in your firewall to prevent network connections to known malicious hosts, using the IOCs provided (IP addresses).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the listed domains to identify potentially compromised systems that may be attempting to communicate with malicious infrastructure.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the listed IP addresses to identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eInvestigate any systems that have communicated with the listed domains or IP addresses for signs of compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T10:08:15Z","date_published":"2026-05-15T10:08:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-maltrail-ioc/","summary":"This brief summarizes a Maltrail IOC feed update on 2026-05-15, containing indicators associated with APT_Kimsuky, CyberstrikeAI, Android_Joker, Sectoprat, EK_Landupdate808, and MagentoCore campaigns involving suspicious domains and IP addresses.","title":"Maltrail IOC Feed Update - 2026-05-15","url":"https://feed.craftedsignal.io/briefs/2026-05-maltrail-ioc/"}],"language":"en","title":"CraftedSignal Threat Feed — APT_Kimsuky","version":"https://jsonfeed.org/version/1.1"}