AhnLab reports that infrastructure previously used for Kakao credential phishing was also hosting Naver login-themed phishing pages assessed from reverse-DNS, IP, domain, and related-file evidence as likely Kimsuky activity. The phishing pages imitated Naver password re-verification flows, prefilled target account identifiers, and mixed legitimate Naver links with attacker-controlled pages to reduce suspicion. The campaign appeared to abuse vulnerable websites built on the older Gnuboard 4 CMS to create domains and host the credential-harvesting pages. Representative indicators included accountskakao.bim-mgn[.]com, nid.bim-mgn[.]com, and wwwid.bim-mgn[.]com, and the article notes that target accounts changed over short intervals.