A Kimsuky-attributed phishing analysis examines files for a spoofed Yonsei University webmail page. The source identifies suspected phishing domains and shows PHP logic designed to capture submitted usernames, passwords, request URLs, and client address data. Although the distribution URL was not confirmed, the recovered kit indicates credential-harvesting intent against university webmail users and provides defenders with infrastructure and code patterns for hunting related Kimsuky phishing activity.