Kimsuky is attributed in the excerpt to a credential-phishing page that impersonated Korea University’s knowledge-based portal. The phishing URL hxxp://osihi(.)store/korea/Intro(.)kpd(.)html reused university-themed navigation, sending many menu items to legitimate Korea University services while collecting submitted usernames and passwords through hxxp://osihi(.)store/korea/login(.)php. The author observed victim login data stored under the same /korea/ path on osihi(.)store, indicating that stolen credentials were exposed for download from the phishing infrastructure. The activity matters for defenders because the site was reportedly not broadly blocked by security vendors at the time, making the domain, phishing path, and credential-submission endpoint useful for detection and takedown follow-up.