AhnLab attributes a Japan-focused phishing operation to Larva-24005, a Kimsuky sub-group supported by North Korea. The actor compromised South Korean Windows systems over RDP, in some cases exploiting BlueKeep, then installed RDPWrap, a keylogger, XAMPP, and PHPMailer to operate phishing infrastructure and collect stolen data. The campaign targeted Japanese university professors and nonprofit personnel working on North Korea issues, using Zoom and web-portal themes, Japanese IME support, victim mailbox searches, and phishing pages impersonating iCloud, OneDrive, Outlook, Naver, and Google.