A North Korea-aligned cyber-espionage group known as Kimsuky has been linked to a series of phishing attacks leveraging Russian sender addresses, according to South Korean cybersecurity company Genians.
Initially, phishing campaigns by Kimsuky primarily used email services in Japan and South Korea until early September. However, from mid-September, there was a shift in tactics, with phishing emails being crafted to appear as though they originated from Russian domains.
The group has also deployed phishing emails mimicking legitimate cloud storage services such as Naver's MYBOX. The emails attempted to trick users into clicking on malicious links to remove malware ostensibly discovered in their accounts.
The MYBOX-themed phishing campaigns, which began in April 2024, initially used sender addresses linked to domains in Japan, South Korea, and the US In more recent campaigns, Kimsuky has abused Russia's VK Mail.ru email service. This platform supports domains such as mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru, all of which have been exploited in phishing attacks.
Further analysis revealed that Kimsuky has been leveraging a compromised email server belonging to a university. Using a PHP-based mailer service called Star, the attackers sent phishing emails that impersonated financial institutions and internet portals like Naver.
Some of the emails appeared to originate from domains like "mmbox[.]ru" and "ncloud[.]ru." However, deeper investigation confirmed the use of the university’s email infrastructure to distribute the phishing messages.
The objective of the attacks is credential theft, enabling Kimsuky to hijack victim accounts. The compromised accounts are then weaponized for further attacks, targeting other employees or associates.