The Staging Layer: A Kimsuky-Class Phishing Farm on Free Korean DNS, and a Bumper Crop of GitHub RATs

Two unrelated operations, one window. Both visible before they fire — if you watch where attacks are staged instead of where they land.

On the morning of June 28, 2026, two completely different threat operations surfaced in our feed within the same hour. One is patient nation-state statecraft. The other is loud, commodity, smash-and-grab crime. They share no infrastructure, no actor, no motive. What they share is the thing we keep telling people to watch: the staging layer. The place attacks are built and parked, before anyone gets phished, before any phone gets owned.

We don't wait for the breach. We watch the build.

Operation One: ~500 phishing domains hiding on free Korean DNS

The first cluster is a credential-harvesting farm spread across four free Korean dynamic-DNS suffixes — o-r.kr, kro.kr, n-e.kr, and p-e.kr. These are the .kr equivalent of the free no-ip and duckdns services: anyone can mint an endless supply of subdomains at zero cost, zero KYC, and rotate through them faster than any takedown process can keep up. Across those four suffixes we are tracking roughly 500 distinct domains tied to this one campaign.

Most of them are throwaway random strings — rmrhpktxugxggmso.o-r.kr, snrhbyerfgfashr.kro.kr — generated by the hundred and burned by the dozen. That rotation noise is the camouflage. The signal is in the minority of domains that name their target out loud.

Read these and the operation explains itself: google.secureverification.kro.kr, google.account-verify.kro.kr, youtube.accounts.o-r.kr, nid-check.o-r.kr, nid-mail.o-r.kr, naver-page.o-r.kr, nid.navmercorp.n-e.kr. NID is the Naver ID login — Naver is South Korea's Google. Then it gets more specific, and more telling: nts-go.ips-auth-user.n-e.kr and ninvoice.taxcloud.kro.kr impersonate the National Tax Service. nid.police-notice-go.kro.kr impersonates the Korean National Police. And a whole sub-cluster — online.recertitation.kro.kr, recert.healthy.o-r.kr, verify.kro-cert.kro.kr — runs a "certificate re-certification" lure, the social-engineering pretext built around Korea's GPKI public-key certificate system that every Korean adult uses for banking and government services.

That target set — Naver plus Google plus Korean government identity, tax, and police, wrapped in a GPKI certificate-renewal pretext, hosted on free .kr dynamic DNS — is not generic crimeware. It is the documented tradecraft of Kimsuky and its Konni cousin, the North Korean intelligence-collection units that have leaned on these exact free Korean DNS providers for years. We are calling it consistent with Kimsuky-class activity. We are not claiming attribution we cannot prove — the upstream signal carries no actor field, and we cap our certainty at 95% on principle. But the shape is unmistakable.

Here is the part that matters for defenders. When this cluster arrived, every one of those domains carried a confidence score of 70 — below our block threshold of 80. We knew about 500 phishing domains we were not yet blocking. So we did the work a feed is supposed to do: we separated the lure-themed hosts from the rotation noise, confirmed the campaign shape, and promoted 77 high-signal domains to confidence 85. They now cross the threshold and flow to every consumer of our feed — the edge worker, the mail-tier block list, the DNS sinkhole and Suricata plugins. The throwaway random-string domains we left at 70 on purpose; they are probably already dead, and blocking dead infrastructure is how you fill a list with noise.

That is the difference between a feed that counts and a feed that curates.

Operation Two: the GitHub RAT and stealer crop

The second cluster came from our own daily GitHub hunt, and it could not be more different in character. No patience, no statecraft — just a fresh harvest of commodity malware staged in public repositories, waiting to be cloned by the next low-skill operator.

The theme this batch is Android remote-access trojans and Discord token grabbers. The RAT side: DogeRat, XWORM-5.6, NetworkPegasus 2.0, Shadow-Builder, RedWing-Panel, and a stack of bare "Android-Rat" and "full-android-hack-rat" repositories. Several wear the oldest disguise in the mobile-malware book — the fake utility app. city-ratings-android, MovieRating-Android, a "rating" app here, an "exchange rate tool" there. The cover name is always something boring and plausible; the payload is full device takeover.

The Discord side is its own little economy: TOKEN-DISCORD-GRABBER, Discord-tokens-grabber, Discord-TokenGuardian, Discord-Harvest-Toolkit. These steal the authentication tokens that let an attacker ride a Discord session without a password — the same session-token-theft pattern that powers far more serious account-takeover chains. Rounding out the batch were a pair of process-hollowing loaders and an OKX crypto-wallet stealer.

None of this is sophisticated. That is exactly why it matters. This is the supply side of commodity crime — the staging shelf where tomorrow's small-time campaigns are sourced. We flagged the batch at confidence 85 to 95 the day it appeared, before any of it shipped to a victim.

Why the staging layer is the right place to stand

These two operations have nothing to do with each other. A North Korean intelligence unit harvesting Korean government credentials has no relationship to a teenager cloning a Discord grabber. But put them side by side and they teach the same lesson, the one that runs through everything we publish: the breach is the last event in a long chain, and the early links are visible if you are looking at the right layer.

The phishing domain exists before the phishing email is sent. The malicious repository exists before it is cloned and deployed. The infrastructure is staged, parked, and waiting — and that waiting period is the defender's window. Stand at the inbox and you are reacting. Stand at the staging layer and you are early.

We promoted 77 domains to the block list this morning. We flagged a crop of malware repositories before any of them fired. Neither action required knowing who the attacker was or who the victim would be. It required watching the build instead of the blast.

That is what left-of-boom actually means.

DugganUSA publishes threat intelligence from first-hand collection and curated open sources. Our STIX 2.1 feed is available to registered consumers; the indicators referenced here are live in it now. We cap our confidence at 95% — Murphy was an optimist.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register