Caution: Phishing Alert – September Tax Return Due Date Notice from Kimusky Hackers

A new wave of phishing attacks has emerged, falsely claiming to originate from South Korea’s National Tax Service. These attacks leverage familiar electronic document notifications to deceive recipients into revealing their Naver credentials. Distributed on August 25, 2025, the phishing email mimics the official format of Naver’s secure document service, presenting itself as a communication from the “National Tax Service.” The email warns recipients that failure to view the “September Tax Return Payment Due Notice” by August 31 will result in alternative delivery methods. While the message conveys urgency and appears legitimate, subtle anomalies indicate its malicious intent. Forensic analysis reveals that the email was sent from Mail.ru infrastructure rather than an official NTS server, with the return-path listed as schimmel2025@list.ru and the sender IP corresponding to Mail.ru.

Analysts from Wezard4u Tistory identified several red flags within the email. Notably, the absence of official NTS domain records in DNS lookups raises concerns for cyber defenders. The email contains a link that conceals a percent-encoded and ROT13/Base64-mixed URL, which redirects to a fabricated login portal designed to harvest credentials. This malicious site closely replicates Naver’s login interface, prompting users to enter their username and password under the guise of accessing an official document. Kimsuky, the group behind the attack, employs various evasion techniques to bypass automated filters. By fragmenting the redirect URL, they obfuscate the true destination, complicating detection efforts. The email also utilises legitimate Mail.ru TLSv1.3 encryption, ensuring secure transmission from the sender server to Naver. 

Categories: Phishing Attacks, Cybersecurity Threats, Email Spoofing 

Tags: Phishing, South Korea, National Tax Service, Naver, Email, Credentials, Malicious, Evasion Techniques, URL, Encryption