ESRC reported a Thallium campaign targeting North Korea-focused experts with spear-phishing emails disguised as Naver News coverage of condolences for former South Korean president Roh Tae-woo. The sender was spoofed as Naver News using a lookalike navercorp.corn address while the real mail service was mail.bg, a service the source says has appeared in prior North Korea-linked activity. Embedded “news” links redirected through nid.livelogin365.in[.]net and then to a fake Naver News page at nnews.naver-con.cloudns[.]cl, potentially exposing victim IP and browser data and enabling follow-on malware delivery. ESRC tied the activity to Thallium through sender/C2 overlaps and code similarities with earlier malware, noting a reconnaissance-oriented shift from macro or PDF-exploit attachments toward link-click tracking.