김수키(Kimsuky)에서 만든 피싱 메일-[국세청] 9월 신고 납부 기한 통지서(2025.8.25)
2025-09-08 • Sakai • Phishing Email Created by Kimsuky: [National Tax Service] September Filing and Payment Deadline Notice (2025.8.25) •
![Thumbnail for 김수키(Kimsuky)에서 만든 피싱 메일-[국세청] 9월 신고 납부 기한 통지서(2025.8.25)](/media/reports/2025/09/thumbnail_3085.jpg)
A Kimsuky-attributed phishing email impersonated South Korea's National Tax Service and Naver electronic document notices to steal Naver account credentials. The lure claimed a September tax filing and payment deadline notice, but the message was sent through Mail.ru infrastructure using schimmel2025@list[.]ru, 95.163.59[.]13, and send174.i.mail[.]ru rather than a Korean government sender. The embedded phishing URL used n-info.bill-nts.server-on[.]net with National Tax Service-themed naming, an encoded redirect toward a Naver-like login flow, and the recipient's Naver address appended for personalization. The activity shows continued Kimsuky use of Korean public-service impersonation and tailored credential-harvesting infrastructure against Korean users.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | server-on.net | 2025-09-08 | 2026-01-14 |
| IPv4 | 45.32.133.19 | 2025-09-08 | 2025-09-17 |
| [email protected] | 2025-09-08 | 2025-09-08 | |
| URL | http://n-info.bill-nts.server-o… | 2025-09-08 | 2025-09-08 |
| DOMAIN | n-info.bill-nts.server-on.net | 2025-09-08 | 2025-09-08 |
| DOMAIN | send174.i.mail.ru | 2025-09-08 | 2025-09-08 |
| IPv4 | 95.163.59.13 | 2025-09-08 | 2025-09-08 |