Bloo Labs draws on exposed Kimsuky/APT43 infrastructure, logs, and PHP code from January-May 2025 to show how the North Korean actor used tracking pixels in targeted phishing operations. The observed implementation embedded 1x1 image requests with reversible base64-encoded email addresses, allowing operators to validate targets, record email opens, and collect client and location-adjacent metadata. The report contrasts these malicious pixels with legitimate marketing infrastructure, emphasizing newly registered domains, custom PHP request handlers, inconsistent filenames, hidden loading behavior, and links to broader malicious infrastructure. It provides detection approaches across proxy logs, email HTML/header inspection, user-agent analysis, and controls such as remote image blocking and content disarmament, making it useful for defenders tracking Kimsuky phishing reconnaissance before payload delivery.