Kimsuky APT Domains and URLs from Maltrail Feed

This threat brief summarizes indicators of compromise (IOCs) associated with the Kimsuky APT group, a North Korean threat actor known for cyber espionage and intelligence gathering. The IOCs, consisting of domains and a URL, were extracted from a Maltrail feed published on June 2nd, 2026. These indicators can be used to identify and block malicious network traffic related to Kimsuky’s activities. Kimsuky is known to target South Korean government entities, think tanks, and individuals involved in foreign policy and national security. The group employs a variety of techniques, including spear-phishing, watering hole attacks, and the use of custom malware. These IOCs are likely associated with command-and-control infrastructure or phishing campaigns.

Attack Chain

While this report focuses primarily on IOCs, a typical Kimsuky attack chain might involve the following steps:

1. Spear-phishing: Kimsuky initiates contact via highly targeted spear-phishing emails, often masquerading as legitimate correspondence from trusted sources.
2. Malicious Attachment/Link: The emails contain malicious attachments (e.g., weaponized documents) or links that lead to compromised websites.
3. Initial Access: Upon opening the attachment or clicking the link, malware is executed on the victim’s machine.
4. Persistence: The malware establishes persistence through various methods, such as scheduled tasks or registry modifications, to ensure continued access to the system.
5. Command and Control: The malware connects to command-and-control (C2) servers to receive instructions and exfiltrate data. This is where the IOCs in this brief become relevant as potential C2 destinations.
6. Lateral Movement: The attackers attempt to move laterally within the network, compromising additional systems and accounts.
7. Data Exfiltration: Sensitive data is collected and exfiltrated to the attacker’s servers.
8. Espionage: The ultimate goal of Kimsuky is often espionage, gathering intelligence on South Korean government policies, defense strategies, and diplomatic relations.

Impact

Compromise by Kimsuky can result in the loss of sensitive information, including government secrets, personal data, and intellectual property. This can have significant national security and economic consequences for targeted organizations. Successful attacks can also damage the reputation of affected entities and erode public trust. Given Kimsuky’s focus on espionage, the primary impact is long-term strategic disadvantage for targeted nations.

Recommendation

• Ingest the domain IOCs listed in the iocs section into your SIEM or threat intelligence platform for alerting and blocking.
• Monitor network traffic for connections to the domains and URL listed in the iocs section, specifically looking for suspicious outbound connections.
• Deploy the Sigma rule provided below to detect DNS queries to Kimsuky infrastructure.
• Investigate any systems that have communicated with the IOCs from this report, prioritizing systems belonging to users involved in South Korean foreign policy, national security, or defense.