Interlab tracks UCID902 as a well-resourced cluster targeting human rights groups and activists focused on North Korea, with motivations aligned to North Korea’s Reconnaissance General Bureau and overlap with ESTSecurity’s Kumsong 121 reporting. The campaigns used Naver-themed credential phishing and watering-hole infrastructure hosted on compromised legitimate Korean business, law firm, child education, and medical research institution websites. Interlab links activity from 2021 through early 2023 by shared IPs, domains, SMTP hosts, phishing kits, and victimology, including attacks on an NGO supporting North Korean refugees, a South Korean North Korean human-rights activist, and a Korean university professor. The report distinguishes UCID902 from Kimsuky despite TTP and motivation overlaps, making it useful for tracking DPRK-aligned credential theft against civil society targets.