ESRC reported a North Korea-linked phishing campaign impersonating South Korea’s National Assembly Research Service and targeting professors in defense, diplomacy, security, and politics. The operators first sent consultation-request emails that performed no malware action but identified recipients who replied; only responsive targets then received a follow-up email with a malicious document attachment. Opening the lure led victims to a fake large-file download page and then to a credential-harvesting page, after which the site delivered a normal Word file to conceal the compromise. ESRC tied the infrastructure to 118.36.192[.]211 and related naverccrp[.]com lookalike domains previously used in phishing.