Breakglass Intelligence found an exposed phishing backend at arnptec[.]com after investigating a Vercel-hosted Naver credential-harvesting page, curly-spoon-sigma[.]vercel[.]app. Directory listing revealed ten operator directories, nine campaign themes, reusable kit templates, and a credential exfiltration endpoint under /team24/nvvvr/mab/send.php. The campaigns target South Korean services including Naver, Daum/Kakao, Cafe24, eCount, Korean webmail, corporate accounts, WeTransfer, and domain-registration services. The Naver kit uses a double-tap password collection flow, while timestamps and multiple disabled Vercel projects indicate at least two years of activity and repeated free-tier hosting abuse. The report notes the Korean targeting pattern aligns with Kimsuky/APT43 behavior but also cautions that the activity could be a financially motivated Korean-language phishing syndicate.