북한_배후_공격_그룹의_피싱_인프라_분석.pdf (2 MB)

Plainbit and South Korea's NCSC analyze spear-phishing infrastructure used by suspected North Korea-backed groups in the first half of 2025. The report separates delivery infrastructure from credential-collection and storage infrastructure, noting that attackers often compromise vulnerable domestic web servers rather than buying new servers directly. Phishing flows used cloud links such as Google Drive, Dropbox, and MEGA for malicious files, or attacker-controlled pages that imitated portals and public institutions to steal account data and session material. The infrastructure commonly stored stolen credentials in text files or forwarded them to external cloud services, giving defenders concrete web-server artifacts, directory structures, and phishing-page patterns to hunt.