ThreatRecon observed SectorA phishing activity against South Korean targets increase sharply in 2022, with SectorA05 responsible for most observed cases and SectorA02 also active. The campaigns targeted researchers, government personnel, education, NGOs, broadcasting/telecom, finance, and individual investors, especially people connected to North Korea research and South Korean institutions. Operators impersonated trusted Korean services and organizations, including Naver electronic documents, Daum customer support, card verification notices, universities, public agencies, and financial brands, to harvest portal credentials or deliver lure documents. The report highlights phishing infrastructure using lookalike domains and overseas hosting, including a SupremeBytes-hosted sender IP and domains spoofing Naver, Google, Daum, Kakao, public agencies, universities, and banks.