ESRC’s Part 3 analysis connected Thallium/Kimsuky and Konni through shared or overlapping phishing infrastructure rather than treating them as separate unrelated clusters. The report examined a November 2020 Daum/Naver-themed credential-harvesting campaign using domains such as naver.midsecurity.org and 211.104.160.79, where directory exposure revealed additional phishing materials including Russian targets, OHCHR-themed lures, Summitz coin legal documents and Biden-era Korea strategy content. ESRC compared passive DNS, registrant emails and domains cited in Microsoft’s Thallium complaint, including rnaii.com, app-wallet.com and bigwnet.com, to show infrastructure links among Thallium, Kimsuky and Konni activity. The source emphasizes account-theft tradecraft, POP3/IMAP abuse for covert mail collection, and recurring Korean portal impersonation against North Korea-related and other Korean targets.