Hunt observed infrastructure returning the distinctive HTTP response "Million OK !!!!" and linked the activity to suspected Kimsuky operations through recurring domains, hosting patterns, and Naver-themed phishing traits. The infrastructure used Naver favicons and domains under TLDs such as p-e.kr, o-r.kr, and n-e.kr, reflecting repeated targeting of South Korean Naver users for credential theft. Several observed IPs were hosted on UCLOUD Information Technology in South Korea, with some servers exposing Sectigo TLS certificates and an older Apache/OpenSSL/PHP stack. One certificate common name, edoc-send.n-e.kr, and a related registrant email connected the activity to infrastructure previously reported with KLogEXE and FPSpy, giving defenders additional pivots for monitoring suspected Kimsuky phishing and C2 assets.