ESRC observed a North Korea-linked phishing operation impersonating the Korean Society for Clinical Health Promotion with COVID-19 vaccine notification emails. The campaign primarily targeted people working on North Korea-related issues and used a carefully spoofed sender address, copied CDC Korean-language content, and design elements overlapping with a legitimate SRT rail notification email. The email drove victims to a credential-phishing page hosted on the real society website, an unusual choice that increased trust while complicating incident response. ESRC cited the North Korean spelling "nalja" for date, webshell/C2 characteristics, and credential-theft tactics as matching previously observed North Korea-linked activity.