South Korean internet users are being targeted by a sophisticated phishing campaign attributed to the North Korean threat actor known as Kimsuky.
The malicious emails, masquerading as official notices from the National Tax Service (NTS), inform recipients of a “September Tax Return Payment Due Notice” and urge them to click a link to view an electronic document.
Security analysts note that the attackers are employing personalized information to lend credibility to the emails, posing a serious risk to Naver account holders.
The phishing email’s subject line explicitly references the NTS and a payment deadline: “September Tax Return Payment Due Notice (Verification Deadline: August 31, 2025, 11:59 PM).” The body text states: “A new electronic document has arrived.
Please check it now.” While the email claims to originate from the NTS, the true sending infrastructure resides on the Mail(.ru) network, indicating a compromised or rented server resource outside South Korea. Detailed header analysis reveals:
- Return-Path and Envelope-From fields are set to schimmel2025@list[.]ru.
- Sender server hostnames include send174(.)j.mail(.)ru → 95[.]163[.]59[.]13, which differ from legitimate NTS mail servers.
- SPF checks pass for the ru domain, DKIM signatures validate using mail4 selector, and DMARC policy p=REJECT is honored, demonstrating the mail was transmitted through Mail(.ru) infrastructure rather than spoofed at the network layer.
- ARC headers show the message passing through an authenticated chain with no anomalies at the first ARC step.
Time‐zone discrepancies also expose the campaign’s origin. Naver received the email at 16:00:44 UTC on August 25, 2025, while the sender’s server logged dispatch at 19:00:40 +03:00.
In Korean time (UTC+9), the mail header timestamp reads August 26, 2025, 01:00:36, aligning with the Moscow time zone rather than Seoul. These details confirm the email’s passage through international infrastructure and flag it as illegitimate.
Phishing Link Analysis
The domain server-on[.]net has no affiliation with the NTS. An analysis of the URL’s query string shows a percent‐encoded parameter (m=value) combining Base64 and ROT13 encodings, which, when partially decoded, reveals “anire(.)pbz-ROT13-?nid(.)naver(.)com” to embed the recipient’s actual email address.
This personalized token indicates targeted phishing rather than broad spam blasts.
The table below summarizes the key indicators of compromise (IOCs):
| Indicator Type | Value |
|---|---|
| Sender Email Address | schimmel2025@list[.]ru |
| Sender IP | 95[.]163[.]59[.]13 |
| Sender Mail Server Hostnames | send174(.)j.mail(.)ru → 95[.]163[.]59[.]13 |
| Phishing Domain | n-info[.]bill-nts[.]server-on[.]net |
| Query Parameter Encoding | Percent-encoded + Base64/ROT13 mixture |
| Embedded Recipient Identifier | ???@naver[.]com |
Victims who click the link are prompted to log in with Naver credentials, which are then harvested by the attackers.
The personalized nature of the query string makes it difficult for automated defenses to detect the phishing URL as malicious, underscoring the importance of careful manual verification.
Mitigations
Users should never click links in unsolicited emails, even if they appear to come from trusted government agencies.
Instead, navigate directly to the official National Tax Service website or official Naver electronic document portal. Verify the sender’s email address by examining the envelope-from fields in the mail headers.
Organizations handling sensitive user data should implement URL‐sandboxing defenses and deploy machine‐learning threat detection to flag uncommon domain patterns and sophisticated encoding in URLs.
By remaining vigilant against carefully crafted phishing lures like the “September Tax Return Due Date Notice,” individuals and enterprises can better defend against credential theft campaigns perpetrated by advanced persistent threat groups such as Kimsuky.
Continuous security awareness training, combined with robust email filtering and header analysis, will help thwart these targeted intrusions before they compromise user accounts.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
