Resilience says an OPSEC mistake in late July 2024 exposed Kimsuky source code, credentials, traffic logs, and notes showing phishing operations against university staff, researchers, and professors. The campaign used compromised staging hosts, including audko.store, dorray.site, nusiu.live, osihi.store, simos.online, sorsi.online, wodos.online, and wodods.xyz, where operators deployed the Green Dinosaur webshell to manage files and place phishing sites. The phishing pages imitated Dongduk University, Korea University, Yonsei University, and Naver login portals, logged credentials through attacker controlled PHP code, and redirected victims to lure content such as a Korean policy forum PDF. The report ties the activity to Kimsuky and DPRK intelligence collection, including social engineering that can exploit weak DMARC policies to make impersonation harder to detect.