I'd reach out to Crowdstrike with the domains names (https://dataservicegroup[.]com). This follows the MO of APTs out of North Korea: https://www.wired.com/story/north-korean-it-scammer-alert/ If you share the list of similar phrases and the domain names that pop up when you search for those phrases the Crowstrike researchers can (a) probably help confirm which group(s) you're dealing with or at least (b) write up an analysis piece on yet another APT trying to gain a foothold in sensitive systems via the ol' fake candidate mechanism.