Leaked Apache access, error, virtual-host, and configuration logs reconstruct Kimsuky/APT43 phishing infrastructure used against South Korean government and military targets in 2025. The operators staged domains including sponetcloud.com and websecuritynotices.com on an Ubuntu server running Apache and PHP, with Lets Encrypt certificates and a reverse-proxy configuration that exposed localhost-backed traffic in the logs. Early January entries show TLS and server-setup testing months before the campaign, while May activity from the 79.110.55.0/24 range shows development and testing of generator.php and request.php components. The evidence gives defenders concrete infrastructure, operator IP ranges, server configuration artifacts, and development errors to hunt for related Kimsuky phishing operations.