ESRC reported a phishing campaign impersonating South Korea’s National Tax Service with emails titled as tax-investigation attendance notices and assessed the activity as suspected North Korean-backed. The lure targeted virtual-asset investors, spoofed the NTS sender address, and used a fake attached PDF area to redirect victims to a crafted Naver login phishing page for credential theft. After credential capture, the page displayed a legitimate-looking tax-investigation PDF to reduce victim suspicion. ESRC linked infrastructure such as navearcorps[.]help and 27.102.101[.]26 to earlier phishing domains, classified related activity as the Konni campaign, and noted ongoing investigation into links between Thallium/Kimsuky and Konni.