The notorious North Korean hacking group Kimsuky has evolved its phishing tactics, transitioning from Japanese and Korean email services to Russian Mail.ru domains in their latest credential theft operations.
The sophisticated campaign, which began in April 2024, targets users through multiple approaches:
• Impersonation of legitimate financial institutions and popular platforms like Naver
• False MYBOX cloud storage security notifications
• Exploitation of compromised email servers, including academic institutions
• Deployment of PHP-based mailing tools
The operation’s technical framework leverages misconfigured DMARC policies and employs advanced social engineering techniques to circumvent security protocols. After successful credential theft, the group utilizes compromised accounts to orchestrate secondary attacks against additional targets.
The campaign’s evolution from using Japanese, South Korean, and U.S. domains to Russian email services (mail.ru, internet.ru, bk.ru, inbox.ru, list.ru) marks a significant shift in their operational strategy, demonstrating their adaptability and growing sophistication in email-based attacks.