{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network_activity/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["APT Kimsuky"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ioc","apt","network_activity","kimsuky","lummac2","magentocore","fakeapp"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief is based on a Maltrail feed update from 2026-05-20 which identifies network IOCs associated with multiple threat actors and campaigns. The identified actors include APT Kimsuky, a suspected North Korean threat group known for espionage and cybercrime, along with campaigns attributed to Lummac2, MagentoCore, and FakeApp. The IOCs consist primarily of domains that are likely used for command and control, phishing, or malware distribution. This information is relevant for defenders seeking to identify and block malicious network traffic related to these campaigns. The domains associated with FakeApp suggest potential phishing or social engineering campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attack chain likely starts with phishing emails or social engineering tactics to lure victims to visit malicious websites.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDomain Resolution:\u003c/strong\u003e Victims click on links within phishing emails, resolving malicious domains (e.g., \u003ccode\u003eduolivecall-googel.com\u003c/code\u003e) associated with the campaigns.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery:\u003c/strong\u003e Upon visiting the malicious domain, the victim may be prompted to download a malicious application or document containing malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Communication:\u003c/strong\u003e The malware establishes communication with command and control servers using domains such as \u003ccode\u003e2u9f.2usrmmwwduz.dns.navy\u003c/code\u003e (for APT Kimsuky) or \u003ccode\u003epantofr.cyou\u003c/code\u003e (for Lummac2) to receive instructions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The compromised system begins exfiltrating sensitive data to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Depending on the malware and the actor\u0026rsquo;s objectives, lateral movement may occur to compromise additional systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks leveraging these IOCs could result in data theft, system compromise, espionage, or financial loss. Victims may include individuals targeted by FakeApp scams, or organizations compromised by APT Kimsuky for espionage purposes. The MagentoCore campaign suggests potential targeting of e-commerce platforms for financial gain through skimming or data theft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the domains listed in the IOC table at the DNS resolver to prevent communication with malicious infrastructure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the domains associated with APT Kimsuky, Lummac2, MagentoCore, and FakeApp.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T22:12:32Z","date_published":"2026-05-20T22:12:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-maltrail-iocs/","summary":"This brief summarizes indicators of compromise (IOCs) from a Maltrail feed update on 2026-05-20, detailing network activity associated with APT Kimsuky, Lummac2, MagentoCore, and FakeApp campaigns, providing actionable intelligence for detection and response.","title":"Maltrail IOCs for APT Kimsuky, Lummac2, MagentoCore, and FakeApp Campaigns","url":"https://feed.craftedsignal.io/briefs/2026-05-maltrail-iocs/"}],"language":"en","title":"CraftedSignal Threat Feed — Network_activity","version":"https://jsonfeed.org/version/1.1"}