Kimsuky is attributed to a Korean-language phishing email impersonating a National Tax Service notice about a June filing and payment deadline. The lure sends victims to hxxp://nts(.)authenticatesvc(.)kro(.)kr/nts/ with parameters that mimic a Naver login flow and prefill the victim’s email address through values such as wreply, m, rv, and ru. The phishing site captures Naver account credentials, including the submitted password and email address, exposing victims to follow-on account compromise and cryptocurrency or other secondary fraud. The infrastructure resolves to 158(.)247(.)247(.)157 on Vultr in Seoul and shows directories such as help.php, invoice, nts, and send_new, while mail headers reference invoicdev(.)64bit(.)kr and Zoho relay paths used to make delivery appear more legitimate.