ESRC reported North Korea-linked Thallium/Kimsuky phishing waves that impersonated South Korea’s Ministry of Unification and Korea Institute for National Unification around 22-24 June 2021. The emails spoofed official-looking sender addresses and used lures about analysis of North Korea’s 8th Party Central Committee plenum, but embedded malicious document links rather than real attachments. Victims who clicked the fake HWP/PDF document screens were first prompted for portal email credentials, enabling mailbox theft and potential follow-on abuse of the compromised accounts. ESRC traced multiple cases, including related INSS and KISA-themed attacks, to servera94.opencom.com at 121.78.88.94 and listed document-link indicators such as uti.co.kr, jyle.co.kr, and uandp.co.kr paths.