ASEC reports that Kimsuky built a phishing site copying the webmail portal of a South Korean government-funded research institute. As in earlier fake Naver and Kakao login pages targeting trade, media, and North Korea-related people and organizations, the page prefilled the target organization leader’s ID to make the credential-harvesting attempt more convincing. ASEC attributes the activity to Kimsuky based on reverse-DNS data, related IPs and domains, and associated files. The report warns that attackers are increasingly reusing legitimate site source code and multiple lookalike domains to impersonate portal and institutional webmail infrastructure.