ESRC reports an active phishing campaign impersonating domestic portal customer-support notices, including takedown, account-change, and policy-violation themes. The emails contain buttons leading to attacker-controlled phishing pages that closely mimic legitimate login pages and may prefill victim account identifiers. The source assesses North Korean involvement as suspected, making the report relevant for defenders tracking credential-theft campaigns against Korean portal users and monitoring lookalike login infrastructure.