Maltrail IOCs for APT Kimsuky, Lummac2, MagentoCore, and FakeApp Campaigns
This brief summarizes indicators of compromise (IOCs) from a Maltrail feed update on 2026-05-20, detailing network activity associated with APT Kimsuky, Lummac2, MagentoCore, and FakeApp campaigns, providing actionable intelligence for detection and response.
This threat brief is based on a Maltrail feed update from 2026-05-20 which identifies network IOCs associated with multiple threat actors and campaigns. The identified actors include APT Kimsuky, a suspected North Korean threat group known for espionage and cybercrime, along with campaigns attributed to Lummac2, MagentoCore, and FakeApp. The IOCs consist primarily of domains that are likely used for command and control, phishing, or malware distribution. This information is relevant for defenders seeking to identify and block malicious network traffic related to these campaigns. The domains associated with FakeApp suggest potential phishing or social engineering campaigns.
Attack Chain
- Initial Compromise: The attack chain likely starts with phishing emails or social engineering tactics to lure victims to visit malicious websites.
- Domain Resolution: Victims click on links within phishing emails, resolving malicious domains (e.g.,
duolivecall-googel.com) associated with the campaigns. - Payload Delivery: Upon visiting the malicious domain, the victim may be prompted to download a malicious application or document containing malware.
- Command and Control (C2) Communication: The malware establishes communication with command and control servers using domains such as
2u9f.2usrmmwwduz.dns.navy(for APT Kimsuky) orpantofr.cyou(for Lummac2) to receive instructions. - Data Exfiltration: The compromised system begins exfiltrating sensitive data to attacker-controlled infrastructure.
- Lateral Movement: Depending on the malware and the actor's objectives, lateral movement may occur to compromise additional systems within the network.
Impact
Successful attacks leveraging these IOCs could result in data theft, system compromise, espionage, or financial loss. Victims may include individuals targeted by FakeApp scams, or organizations compromised by APT Kimsuky for espionage purposes. The MagentoCore campaign suggests potential targeting of e-commerce platforms for financial gain through skimming or data theft.
Recommendation
- Block the domains listed in the IOC table at the DNS resolver to prevent communication with malicious infrastructure.
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
- Monitor network traffic for connections to the domains associated with APT Kimsuky, Lummac2, MagentoCore, and FakeApp.
Detection coverage 3
Detect Connections to Kimsuky DNS Navy Domains
mediumDetects connections to domains ending with dns.navy, potentially related to APT Kimsuky activity.
Detect FakeApp Domains
mediumDetects connections to domains associated with FakeApp campaign based on domain naming conventions.
Detect Connection to Pantofr Domain
mediumDetects connections to the pantofr.cyou domain associated with Lummac2
Detection queries are available on the platform. Get full rules →
Indicators of compromise
44
domain
6
url
| Type | Value |
|---|---|
| url | https://api.github.com/repos/stamparm/maltrail/commits/f9324a40cdba2fc8c6e71245aa98be2c0d17f04c |
| url | https://x.com/skocherhan/status/2057172575889789202 |
| domain | 2u9f.2usrmmwwduz.dns.navy |
| domain | 2usrmmwwduz.dns.navy |
| domain | 6td4w.mj9tqlj86sz.dns.navy |
| domain | 923h5qvvzq2.v6.navy |
| domain | flbsbn.zsf31ayvobt.dns.navy |
| domain | guidetx.suredoc.net |
| domain | mareqsutxn.v6.navy |
| domain | mj9tqlj86sz.dns.navy |
| domain | ncloud.casacam.net |
| domain | ndoc.ncloud.casacam.net |
| domain | nid-log-pl.2u9f.2usrmmwwduz.dns.navy |
| domain | nid-token.tkho.mareqsutxn.v6.navy |
| domain | nidmois.p0fx8.923h5qvvzq2.v6.navy |
| domain | nidsign.mylogisoft.com |
| domain | ninvoice.parentinvolvement.in |
| domain | ninvoice.taxcloud.kro.kr |
| domain | p0fx8.923h5qvvzq2.v6.navy |
| domain | pol-go-nid.6td4w.mj9tqlj86sz.dns.navy |
| domain | pol-go-nid.flbsbn.zsf31ayvobt.dns.navy |
| domain | taxcloud.kro.kr |
| domain | tkho.mareqsutxn.v6.navy |
| domain | toxcloud.dns.army |
| domain | vvg1ylsb4a7.dns.navy |
| domain | zsf31ayvobt.dns.navy |
| url | https://api.github.com/repos/stamparm/maltrail/commits/f20c6823363a1cd1b330b4b4a9891beec7f27aec |
| domain | pantofr.cyou |
| url | https://api.github.com/repos/stamparm/maltrail/commits/e202683c7f0d46980803d6b05a038f2b819a43b2 |
| domain | wpcdnwsswp.com |
| url | https://api.github.com/repos/stamparm/maltrail/commits/581025fa091e6a2594d7a849980caa94b438a982 |
| url | https://x.com/Malwarehunterr/status/2057196561172689389 |
| domain | ainalapitool.online |
| domain | asifapi.xyz |
| domain | biplobapi.xyz |
| domain | hasanapi.xyz |
| domain | jasimapi.xyz |
| domain | lahinapi.xyz |
| domain | milonapi.xyz |
| domain | ronyapi.xyz |
| domain | sohanapi.xyz |
| domain | sohelapitool.online |
| domain | tmrlapi.xyz |
| domain | toolapipanel.online |
| domain | call-video.website |
| domain | due-chat.call-video.website |
| domain | due-live-call.online |
| domain | due.live-video-call.my.id |
| domain | duolivecall-googel.com |
| domain | ecortbabylon.site |