Genians links a multi-year email phishing campaign to Kimsuky, targeting North Korea researchers and related organizations in South Korea with account-theft lures rather than malware attachments. The activity impersonated familiar public-sector, portal, cloud, and financial electronic-document notices, including National Secretary, Naver MYBOX, tax, pension, and banking themes. Operators used Japanese and Korean mail services early on, then shifted to forged and real Russian sender domains while continuing to abuse Korean free-domain services and phishing sites hosted on infrastructure such as 185.27.134.x and 185.105.33.106. The report also ties the campaign to the exposed “star 3.0” mailer on evangelia.edu, a site previously associated with Kimsuky tooling and a macro document that launched mshta against an evangelia.edu HTA payload. The findings matter because malwareless credential phishing can enable mailbox surveillance and follow-on intrusions against policy, research, and institutional targets.