Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack

URL/Domain

effertz-carroll.com

regioncheck.net

freeconference.io

ipcheck.cloud

mirotalk.io

mirotalk.net

ftpserver0909.com

IP Address

167.88.36.13

Email

adonis_eros@outlook.com

brightstar1116@outlook.com

buyerlao@outlook.com

casey_qadir@outlook.com

cescernand@outlook.com

devstar1116@gmail.com

ebcappservices@gmail.com

hakajakin@outlook.com

ideationbrand@gmail.com

legend_dev@outlook.com

liko.sonexarth@gmail.com

liko.sonexarth@hotmail.com

longines0924@gmail.com

lujindane@outlook.com

matthewhall14541@gmail.com

niko.sonexarth@gmail.com

niko.sonexarth@hotmail.com

oscar.vetres127@europe.com

oscar.vetres127@gmail.com

pinefirst@outlook.com

reply9998@gmail.com

richard.stewart.1202@gmail.com

richard.stewart.1202@outlook.com

sniper_bruce@outlook.com

stp.walsh33@gmail.com

techcare127@gmail.com

truepai415@gmail.com

truestar222@outlook.com

volodimir.work2020@gmail.com

zhangming_k@yahoo.com

zhuming1116@gmail.com

lisettekolson8@gmail.com

312011217@qq.com

alhinglovena3000@gmail.com

jumphon2103@gmail.com

mobilephetjum@gmail.com

phetchamphone1998@gmail.com

Detection Query 1

userdomainname like "mirotalk.io" or url like "mirotalk.io" or userdomainname like "mirotalk.net" or url like "mirotalk.net" or userdomainname like "regioncheck.net" or url like "regioncheck.net" or userdomainname like "ipcheck.cloud" or url like "ipcheck.cloud" or userdomainname like "effertz-carroll.com" or url like "effertz-carroll.com" or userdomainname like "freeconference.io" or url like "freeconference.io" or userdomainname like "ftpserver0909.com" or url like "ftpserver0909.com"

Detection Query 2

dstipaddress IN ("167.88.36.13") or ipaddress IN ("167.88.36.13") or publicipaddress IN ("167.88.36.13") or srcipaddress IN ("167.88.36.13")

Detection Query 3

(sender IN ("adonis_eros@outlook.com","brightstar1116@outlook.com","buyerlao@outlook.com","casey_qadir@outlook.com","cescernand@outlook.com","devstar1116@gmail.com","ebcappservices@gmail.com","hakajakin@outlook.com","ideationbrand@gmail.com","legend_dev@outlook.com","liko.sonexarth@gmail.com","liko.sonexarth@hotmail.com","longines0924@gmail.com","lujindane@outlook.com","matthewhall14541@gmail.com","niko.sonexarth@gmail.com","niko.sonexarth@hotmail.com","oscar.vetres127@europe.com","oscar.vetres127@gmail.com","pinefirst@outlook.com","reply9998@gmail.com","richard.stewart.1202@gmail.com","richard.stewart.1202@outlook.com","sniper_bruce@outlook.com","stp.walsh33@gmail.com","techcare127@gmail.com","truepai415@gmail.com","truestar222@outlook.com","volodimir.work2020@gmail.com","zhangming_k@yahoo.com","zhuming1116@gmail.com","lisettekolson8@gmail.com","312011217@qq.com","alhinglovena3000@gmail.com","jumphon2103@gmail.com","mobilephetjum@gmail.com","phetchamphone1998@gmail.com") OR receiver IN ("adonis_eros@outlook.com","brightstar1116@outlook.com","buyerlao@outlook.com","casey_qadir@outlook.com","cescernand@outlook.com","devstar1116@gmail.com","ebcappservices@gmail.com","hakajakin@outlook.com","ideationbrand@gmail.com","legend_dev@outlook.com","liko.sonexarth@gmail.com","liko.sonexarth@hotmail.com","longines0924@gmail.com","lujindane@outlook.com","matthewhall14541@gmail.com","niko.sonexarth@gmail.com","niko.sonexarth@hotmail.com","oscar.vetres127@europe.com","oscar.vetres127@gmail.com","pinefirst@outlook.com","reply9998@gmail.com","richard.stewart.1202@gmail.com","richard.stewart.1202@outlook.com","sniper_bruce@outlook.com","stp.walsh33@gmail.com","techcare127@gmail.com","truepai415@gmail.com","truestar222@outlook.com","volodimir.work2020@gmail.com","zhangming_k@yahoo.com","zhuming1116@gmail.com","lisettekolson8@gmail.com","312011217@qq.com","alhinglovena3000@gmail.com","jumphon2103@gmail.com","mobilephetjum@gmail.com","phetchamphone1998@gmail.com"))