{ "id": "8baaefc7-4461-45c1-b7cb-5984cbbc7288", "created_at": "2026-04-06T00:17:02.903991Z", "updated_at": "2026-04-10T03:37:41.116953Z", "deleted_at": null, "sha1_hash": "7a32ad3d82104f02dd3de99833fdb3d2201b5ef5", "title": "“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1098103, "plain_text": "“Million OK!!!!” and the Naver Facade: Tracking Recent\r\nSuspected Kimsuky Infrastructure\r\nPublished: 2024-12-10 · Archived: 2026-04-05 19:25:09 UTC\r\nTABLE OF CONTENTS\r\nBackground: Targeting of NaverTechnical DetailsSearching for 'Million OK !!!!' in HuntLatest ResultsHistorical\r\nObservationsA Simple \"Hello\"ConclusionCertificate Hashes\r\nIn March 2024, a security researcher on Twitter/X observed a series of IP addresses and domains delivering an\r\nunusual HTTP response: 'Million OK!!!!'. Subsequent analysis of the infrastructure and domains linked this\r\nactivity to the North Korean threat group Kimsuky.\r\nHunt researchers recently observed additional activity involving recently registered domains returning the same\r\nresponse. These web pages use the favicon of Naver, a South Korean technology corporation, although they have\r\nno association with the company. Domain registration information suggests the group is actively maintaining and\r\nexpanding its infrastructure.\r\nKey observations:\r\nThe reappearance of the 'Million OK!!!!' HTTP response.\r\nContinued reliance on top-level domains such as p-e.kr, o-r.kr, and n-e.kr, previously associated with\r\nKimsuky.\r\nUse of Naver branding elements to enhance the credibility of malicious pages.\r\nThis post provides an overview of the newly observed domains and infrastructure.\r\nBackground: Targeting of Naver\r\nNorth Korean threat actors, particularly Kimsuky, have repeatedly targeted South Korean platforms like Naver to\r\nsteal credentials. These campaigns often employ phishing techniques, including counterfeit Naver login pages and\r\ntech-themed domain naming conventions.\r\nIn June 2023, South Korea's National Intelligence Service identified a phishing website replicating Naver's main\r\npage in real-time, aiming to harvest personal data from South Korean users. This past October, Hunt uncovered a\r\nphishing campaign targeting Naver users, utilizing exposed directories containing phishing pages designed to steal\r\ncredentials.\r\nThe following section focuses on the domains, IPs, and infrastructure observed in the latest campaign.\r\nTechnical Details\r\nhttps://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking\r\nPage 1 of 7\n\nThis collection of \"Million OK !!!!\" infrastructure shares several notable traits. All observed IPs are hosted on the\r\nUCLOUD Information Technology (HK) Limited ASN, which is hosted in South Korea.\r\nWhile the exact purpose of the above term remains unclear, it likely serves as a distinctive marker/placeholder for\r\nthe group's malicious infrastructure to verify active servers.\r\nSome of the distinct behaviors exhibited include:\r\n1. Direct IP Hosting: Some IPs host a web server that presents the 'Million OK!!!' response, typically over\r\nport 80, without resolving to any domains.\r\n2. Domain Hosting: Others host a small cluster of domains or TLS certificates issued by Sectigo, often\r\nlinked to Kimsuky's phishing campaigns.\r\n3. Legacy Web Server Stack: The server administrator installed outdated software versions of Apache Web\r\nServer (Win32), OpenSSL, and PHP. The commonly observed header across all instances was\r\nApache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30.\r\nThe following screenshots show the response presented during our research and the favicon. The first example\r\ncaptures the domain nidauth.r-e[.]kr , which is likely meant to mimic Naver's sign-in page, while the other\r\ndisplays a direct request to an IP address.\r\nFigure 1: Domain presenting the Million OK message and the Naver favicon.\r\nhttps://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking\r\nPage 2 of 7\n\nFigure 2: Making an HTTP request to many IPs in this collection displays the above.\r\nSearching for 'Million OK !!!!' in Hunt\r\nUsing HuntSQL™ Explorer, we queried the latest scan results to identify servers returning the distinctive text in\r\ntheir HTTP response bodies. This approach enabled us to pinpoint IPs relevant to our investigation efficiently.\r\nThe exact query used is shown below:\r\nSELECT ip, port, http.body FROM http WHERE http.body == 'Million OK !!!!' GROUP BY\\\r\nip, port, http.body\r\n \r\nCopy\r\nThis query retrieves the IP address, port, and HTTP response body from the dataset, focusing on entries where the\r\nbody contains the exact text 'Million OK!!!!'. By grouping the results by IP, port, and response body, we isolate\r\nunique instances of this behavior, removing duplicates and streamlining our analysis.\r\nhttps://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking\r\nPage 3 of 7\n\nFigure 3: Screenshot of scan results using SQL Explorer in Hunt.\r\nLatest Results\r\nWhile most of our findings were observed on port 80, several IPs also had port 443 open. These instances\r\nmirrored the same HTTP response and favicon and included a TLS certificate. Additional details are displayed\r\nbelow.\r\nIP Address\r\nResolving\r\nDomain(s)\r\nTLS Certificate\r\nOrg\r\nDomain in Common Name of\r\nCertificate\r\n118.193.68[.]146 N/A Sectigo Limited\r\n*.nidcheck.o-r[.]kr\r\n*.againcheck[.]site\r\n118.194.248[.]148 N/A N/A N/A\r\n123.58.200[.]50 N/A N/A N/A\r\n152.32.138[.]191 N/A N/A N/A\r\n152.32.243[.]153 N/A Sectigo Limited\r\n*.checkmail.kro[.]kr\r\n*.nidcorp[.]store\r\n*.checkagain[.]store\r\nHistorical Observations\r\nhttps://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking\r\nPage 4 of 7\n\nIP Address\r\nResolving\r\nDomain(s)\r\nTLS Certificate\r\nOrg\r\nDomain in Common Name of\r\nCertificate\r\n118.193.69[.]248\r\nozszg[.]top\r\nmail.ozszg[.]top\r\nN/A N/A\r\n123.58.200[.]13 N/A N/A N/A\r\n152.32.243[.]184\r\nnld.blog-view[.]o-r.kr\r\nN/A N/A\r\n152.32.138[.]63 N/A N/A N/A\r\nA Simple \"Hello\"\r\nWhile analyzing servers displaying the Naver favicon, we found a web page hosted at IP address 101.36.114[.]153\r\nthat stood out. Instead of returning the previously observed text, the server responded with a simple 'Hello'\r\nmessage-a familiar sight for those accustomed to sifting through internet scan data.\r\nWhat made this particular item interesting was that, in addition to the favicon, it also shares the same ASN,\r\nSectigo-issued TLS certificate, and a similar Apache server configuration, though with different software versions.\r\nUsing Hunt's Port History tab from within the IP overview page, we can see the 'Hello' response captured along\r\nwith the HTTP headers.\r\nFigure 4: Port history showing the 'Hello' HTTP response (Hunt)\r\nThe TLS certificate associated with this server adds further context to its connection with the identified patterns.\r\nThe certificate's Common Name (CN), edoc-send.n-e[.]kr , (SHA256:\r\n3a6640efbfbd42efbfbd21d5bcefbfbd68023a74d19848efbfbd167b7aefbfbd0573efbfbd) reflects the frequent\r\nuse of the n-e.kr TLD in phishing and C2 infrastructure often tied to Kimsuky.\r\nhttps://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking\r\nPage 5 of 7\n\nFigure 5: Screenshot of the historical TLS records for 101.36.114[.]153 (Hunt).\r\nFurther examination of the certificate's domain revealed a registrant email address of\r\ncfa4a551515dc742s@gmail[.]com. As reported in September by Unit 42, this email is tied to two domains used\r\nby malware families, KLogEXE and FPSpy.\r\nFigure 6: Screenshot showing registrant email links (Source: Unit 42).\r\nFor additional details, see the original blog post, \"Unraveling Sparkling Pisces's Tool Set: KLogEXE and FPSpy.\"\r\nConclusion\r\nhttps://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking\r\nPage 6 of 7\n\nConsistent patterns emerged across the infrastructure discussed in this blog, including Sectigo-issued TLS\r\ncertificates, Apache server configurations, specific TLD use, and a focus on Naver-related targeting.\r\nA distinct HTTP response at 101.36.114[.]153 led to the discovery of a wildcard domain in the certificate's\r\nCommon Name, which was tied to a registrant email address previously reported by Unit42.\r\nSQL Explorer enable analysts to identify and monitor suspicious infrastructure without relying on malware\r\nsamples or active phishing pages. Outlining these recurring patterns and infrastructure traits offers defenders\r\nvaluable context to monitor adversary activity and understand their operational methods.\r\nCertificate Hashes\r\n*.nidcheck.o-r[.]kr -\r\n393CBD41F14B1C55BDE92A32E10B5D65384E33A97C77F352BD90FDB8FD5D73AE\r\n*.againcheck[.]site -\r\n5F2C65E695D85395634E7AB561242425E6EF281CE2E14A0D5C1704ED593CFA5F\r\n*.checkmail.kro[.]kr -\r\n98C85EF91E05593CD470FFE8698AA6D97B36E8B885200BE87080B8C2A135FB9C\r\n*.nidcorp[.]store -\r\nD8A8DDDA6CC12C5533268B20E48E1B636CE9173E9F9B5BB4C832FE00F1B26841\r\n*.checkagain[.]store -\r\n974E386F8FACFF325EC2F3EBB7439A9A1E4E4C88944D5BEB5C341923DC993556\r\nSource: https://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking\r\nhttps://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking" ], "report_names": [ "million-ok-naver-facade-kimsuky-tracking" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434622, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a32ad3d82104f02dd3de99833fdb3d2201b5ef5.pdf", "text": "https://archive.orkl.eu/7a32ad3d82104f02dd3de99833fdb3d2201b5ef5.txt", "img": "https://archive.orkl.eu/7a32ad3d82104f02dd3de99833fdb3d2201b5ef5.jpg" } }