‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces
Published on
Published on
Published on
Jan 14, 2025
Jan 14, 2025
Jan 14, 2025
While scanning for DPRK-related infrastructure, Hunt researchers identified a server with HTTP response headers consistent with previously reported activity. Further analysis of the IP uncovered a small cluster of domains and a landing page on port 80 referencing 'JustJoin,' a macOS app designed for monitoring Zoom meetings.
Public reporting, most recently by SentinelOne, has linked TA444/BlueNoroff to spoofed domains, often leveraging themes related to virtual meeting platforms like Zoom in their campaign. Additionally, two other IPs were found to share SSH keys with the server, indicating potential coordination within a broader infrastructure.
This report outlines key findings to provide defenders with timely insights into this activity cluster.
TA444/BlueNoroff Infrastructure
BlueNoroff, also known as TA444, employs structured yet adaptable patterns in managing its infrastructure. The group often registers domains that mimic legitimate businesses, particularly in the cryptocurrency and fintech sectors, leveraging these deceptive names to support phishing campaigns and malware delivery.
For hosting, TA444 primarily uses virtual private servers (VPS) from various providers, with Hostwinds being the most frequently observed in our analysis at Hunt. Operational security (OPSEC) lapses have revealed instances of infrastructure reuse, including shared domains across multiple IP addresses and the recycling of TLS certificates. These overlaps highlight the group's tendency to optimize resources, offering analysts opportunities to identify and connect elements of their broader attack infrastructure.
Network Infrastructure Analysis
Our scan results led us to IP address 23.254.167[.]216, hosted on Hostwinds in the United States, with only one service exposed-HTTP on port 80. Examining the server revealed headers consistent with previously observed DPRK-related activity. These included Apache, OpenSSL, and PHP, which, while not uniquely tied to BlueNoroff, provided a solid basis for further investigation.
Further analysis revealed four domains resolving to this IP address. Among them, two domains-make-hex-32332e3235342e3136372e323136-rr.1u.ms and a0info.v6[.]army-can be confidently associated with previous reporting. When accessed, both domains displayed the 'JustJoin' landing page, a theme previously linked to the group. Currently, we have no data linking the other two domains to BlueNoroff activity.
![Figure 2: JustJoin landing page hosted at a0info.v6[.]army](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/1-2025/figure_2_justjoin_landing_page_hosted_at_a0info_v6_army_3x.webp)
The domain make-hex-32332e3235342e3136372e323136-rr.1u[.]ms is constructed using a hexadecimal sequence that translates to the IP address 23.254.167[.]216. This structure enables the domain to resolve directly to the server while obfuscating the IP address within the URL, potentially reducing visibility during casual inspection.
![Figure 3: The same landing page as seen at make-hex-32332e3235342e3136372e323136-rr.1u[.]ms](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/1-2025/figure_3_the_same_landing_page_as_seen_at_make_hex_32332e3235342e3136372e323136_rr_1u_ms_3x.webp)
Pivoting within suspicious infrastructure on Hunt is straightforward using the "Associations" tab, which provides immediate visibility into related servers and domains. As shown below, two additional servers on the Hostwinds network share the same SSH fingerprint (e1f6b7f621a391a9d26e9a196974f3e2cc1ce8b4d8f73a14b2e8cb0f2a40289f) as the initial server.
![Figure 4: Screenshot of two IPs using the same SSH key as 23.254.167[.]216](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/1-2025/figure_4_screenshot_of_two_ips_using_the_same_ssh_key_as_23_254_167_216_hunt__3x.webp)
The first server (108.174.194[.]44) remains active at the time of writing, but further analysis did not yield any notable findings.
Focusing on the second server revealed four associated domains and open ports for SSH, HTTP (port 80), and email-related services (ports 143, 993, and 995). These ports suggest the server may be configured to impersonate legitimate email services or facilitate phishing operations.
Among the domains resolving to this IP, two appear to be auto-generated subdomains assigned to individual servers or VPS instances by Hostwinds. The remaining domains, though leading to blank web pages, are registered through NameCheap. While these domains are not overtly malicious, their association with the identified network artifacts warrants further scrutiny.
![Figure 6: Resolving domains for 108.174.194[.]196](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/1-2025/figure_6_resolving_domains_for_108_174_194_196_hunt__3x.webp)
Conclusion
This analysis highlights the reappearance of a recent 'JustJoin' landing page tied to TA444/BlueNoroff, reinforcing their use of uncommon domains to support malicious activity. We identified links suggesting coordinated management across multiple servers by examining domains, IPs, and shared SSH keys.
Defenders should remain vigilant for suspicious domains that mimic legitimate services, especially those relevant to their organization's users. Early identification of these threats, along with monitoring HTML hashes linked to malicious web pages, can help mitigate risks and support proactive blocking of associated IPs within networks.
Network Observables
| IP Address | Hosting Country | ASN | Domain(s) | Notes |
|---|---|---|---|---|
| 23.254.167[.]216 | US | HOSTWINDS LLC. | make-hex-32332e3235342e3136372e323136-rr.1u[.]ms a0info.v6[.]army cryptorgram[.]com www.cryptorgram[.]com | Initial server identified as hosting the 'JustJoin' landing page. |
| 108.174.194[.]44 | SG | HOSTWINDS LLC. | N/A | Linked by shared SSH key. |
| 108.174.194[.]196 | US | HOSTWINDS LLC. | taglala[.]com hamzastrs[.]pro | Linked by shared SSH key. |
While scanning for DPRK-related infrastructure, Hunt researchers identified a server with HTTP response headers consistent with previously reported activity. Further analysis of the IP uncovered a small cluster of domains and a landing page on port 80 referencing 'JustJoin,' a macOS app designed for monitoring Zoom meetings.
Public reporting, most recently by SentinelOne, has linked TA444/BlueNoroff to spoofed domains, often leveraging themes related to virtual meeting platforms like Zoom in their campaign. Additionally, two other IPs were found to share SSH keys with the server, indicating potential coordination within a broader infrastructure.
This report outlines key findings to provide defenders with timely insights into this activity cluster.
TA444/BlueNoroff Infrastructure
BlueNoroff, also known as TA444, employs structured yet adaptable patterns in managing its infrastructure. The group often registers domains that mimic legitimate businesses, particularly in the cryptocurrency and fintech sectors, leveraging these deceptive names to support phishing campaigns and malware delivery.
For hosting, TA444 primarily uses virtual private servers (VPS) from various providers, with Hostwinds being the most frequently observed in our analysis at Hunt. Operational security (OPSEC) lapses have revealed instances of infrastructure reuse, including shared domains across multiple IP addresses and the recycling of TLS certificates. These overlaps highlight the group's tendency to optimize resources, offering analysts opportunities to identify and connect elements of their broader attack infrastructure.
Network Infrastructure Analysis
Our scan results led us to IP address 23.254.167[.]216, hosted on Hostwinds in the United States, with only one service exposed-HTTP on port 80. Examining the server revealed headers consistent with previously observed DPRK-related activity. These included Apache, OpenSSL, and PHP, which, while not uniquely tied to BlueNoroff, provided a solid basis for further investigation.
Further analysis revealed four domains resolving to this IP address. Among them, two domains-make-hex-32332e3235342e3136372e323136-rr.1u.ms and a0info.v6[.]army-can be confidently associated with previous reporting. When accessed, both domains displayed the 'JustJoin' landing page, a theme previously linked to the group. Currently, we have no data linking the other two domains to BlueNoroff activity.
The domain make-hex-32332e3235342e3136372e323136-rr.1u[.]ms is constructed using a hexadecimal sequence that translates to the IP address 23.254.167[.]216. This structure enables the domain to resolve directly to the server while obfuscating the IP address within the URL, potentially reducing visibility during casual inspection.
Pivoting within suspicious infrastructure on Hunt is straightforward using the "Associations" tab, which provides immediate visibility into related servers and domains. As shown below, two additional servers on the Hostwinds network share the same SSH fingerprint (e1f6b7f621a391a9d26e9a196974f3e2cc1ce8b4d8f73a14b2e8cb0f2a40289f) as the initial server.
The first server (108.174.194[.]44) remains active at the time of writing, but further analysis did not yield any notable findings.
Focusing on the second server revealed four associated domains and open ports for SSH, HTTP (port 80), and email-related services (ports 143, 993, and 995). These ports suggest the server may be configured to impersonate legitimate email services or facilitate phishing operations.
Among the domains resolving to this IP, two appear to be auto-generated subdomains assigned to individual servers or VPS instances by Hostwinds. The remaining domains, though leading to blank web pages, are registered through NameCheap. While these domains are not overtly malicious, their association with the identified network artifacts warrants further scrutiny.
Conclusion
This analysis highlights the reappearance of a recent 'JustJoin' landing page tied to TA444/BlueNoroff, reinforcing their use of uncommon domains to support malicious activity. We identified links suggesting coordinated management across multiple servers by examining domains, IPs, and shared SSH keys.
Defenders should remain vigilant for suspicious domains that mimic legitimate services, especially those relevant to their organization's users. Early identification of these threats, along with monitoring HTML hashes linked to malicious web pages, can help mitigate risks and support proactive blocking of associated IPs within networks.
Network Observables
| IP Address | Hosting Country | ASN | Domain(s) | Notes |
|---|---|---|---|---|
| 23.254.167[.]216 | US | HOSTWINDS LLC. | make-hex-32332e3235342e3136372e323136-rr.1u[.]ms a0info.v6[.]army cryptorgram[.]com www.cryptorgram[.]com | Initial server identified as hosting the 'JustJoin' landing page. |
| 108.174.194[.]44 | SG | HOSTWINDS LLC. | N/A | Linked by shared SSH key. |
| 108.174.194[.]196 | US | HOSTWINDS LLC. | taglala[.]com hamzastrs[.]pro | Linked by shared SSH key. |
Related Posts:
Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.
Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.
Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.
Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.
ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...
ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...
Explore a suspected North Korean-linked phishing campaign targeting Naver and how unknown actors use distinct TLS certificates to spoof Apple domains.
Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.
ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers...
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.