Kimsuky used a Korean National Tax Service-themed phishing email claiming that a May filing and payment deadline change notice was available for review. The lure targeted Naver users by pre-filling the victim email address and asking only for the password, then used doc-info.versioninfo.r-e.kr/nts links with parameters that imitated Naver login, privacy policy, legal notice, help, and company pages. The phishing flow stole Naver account credentials and redirected victims to legitimate Naver pages, making the activity harder for users to distinguish from a real electronic document notification. The message was sent from [email protected] via Mail.ru infrastructure, with sender IP 95.163.59.116 and SPF, DKIM, and DMARC passing.