Sunday, May 18, 2025
HomeComputer SecurityMicrosoft Hijack's 50 Domains Used by North Korean Hacking Group to Perform...

Microsoft Hijack’s 50 Domains Used by North Korean Hacking Group to Perform Various Cyber Attacks

Published on

SIEM as a Service

Follow Us on Google News

Microsoft takes control of the 50 domains used by North Korea based Thallium hacker group for breaking into customer accounts and network for stealing sensitive information.

The lawsuit was unsealed on December 27 in Virginia federal court, which states that Thallium targets Microsoft software users by mimicking the company.

Thallium Group Targets Microsoft Users

Thallium hacker group targets Microsoft customers in both public and private sectors, business, as well as many organizations and individuals worldwide.

- Advertisement - Google News

The group found to be active since 2010 and they specialized in launching targeted attacks, by identifying individuals associated with an organization based on the information available publically and through social media.

To compromise the victim the group employs spearphishing attacks, they craft personalized spear-phishing email appeared to be from reputable providers such as Gmail, Yahoo.

The email’s sent from the hacker group stating that “suspicious login activity was detected” and the email has a link embedded.

When the victim click’s on the link it takes to the domain controlled by the hacker group and it presents a copy of the login page.

Microsoft detailed a sample in which threat actors combined letter “r” and “n” to make it appear as “m” in “microsoft.com.” Example screenshot below.

Spear phishing Email

If the victims provide login details in the copy of the login page then Thalium hacker group can gain access to the victim’s account settings and they can review emails, contact lists, calendar appointments and anything else of interest in the compromised account, said Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust.

They also add an auto-forward rule in the victim’s Email account setting to get copies of the email received by the victim’s and they keep track of every activity.

Domains Used

To deceive the victims, Thallium redirects the victims to legitimate Microsoft website https://go.microsoft[.]com after the login credentials are entered on the fake page.

Microsoft identified that Thalium uses 50 domains in its command and control infrastructure, some of the domains impersonate well-known companies such as Microsoft, Google, Yahoo, and Naver.

Thallium command and control

Here is the list of domains used by the Thallium hacker group according to the complaint.

In addition to stealing data, Thallium also deploys malware named “BabyShark” and “KimJongRAT” malware on the victim’s computer.

The malware capable of stealing information from the victim’s machine and maintains a persistent presence and waits for instructions from the command and control server.

This is not the first time, Microsoft took legal action to take action to bring down the malicious domain infrastructure of the nation-state activity group.

Mitigation Suggested

  1. Enable two-factor authentication
  2. Identify Phishing Emails
  3. Enable security alerts about links and files

Cyber Security News Podcast

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Printer Company Distributes Malicious Drivers Infected with XRed Malware

Procolored, a printer manufacturing company, has been found distributing software drivers infected with malicious...

Frigidstealer Malware Targets macOS Users to Harvest Login Credentials

An macOS users, a new information-stealing malware dubbed FrigidStealer has emerged as a formidable...

SSH Auth Key Reuse Uncovers Advanced Targeted Phishing Campaign

A meticulously orchestrated phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been...