Hunt identified a suspected North Korean-linked phishing server targeting Naver users from an exposed directory at 158.247.238[.]155/naver on infrastructure hosted in Seoul. The server redirected port 80 traffic to the legitimate Naver site, hosted more than 200 domains, and contained folders and files for credential-theft pages, IP logging, and user tracking. The recon.htm page copied a Naver password-change flow with Korean text urging identity verification to block suspicious devices, while a related rtnurl file pointed to visitnhisserver[.]store and a redirect chain involving nextonlinecom[.]store. Hunt treats the attribution as tentative, noting that the Naver targeting, exposed phishing server, low-cost .store domains, and Let’s Encrypt certificates resemble activity often associated with Kimsuky, Lazarus, and other DPRK-linked operators.