ASEC observed fake Naver login pages built on the same attacker-controlled domain pattern previously used for fake Kakao credential theft. The phishing flow leads users to a password reconfirmation page where the login ID is prefilled and entered passwords are sent to the actor’s server. The pages use a mixture of legitimate Naver links and forged service pages to reduce suspicion, with redirects returning victims to the credential capture form. ASEC assessed Kimsuky involvement based on reverse DNS, related IP/domain data, and files collected during analysis. The activity matters because the actor was repeatedly changing prefilled target accounts, including accounts tied to media and a Ministry of Unification-affiliated organization.