Kimsuky, a North Korea-aligned cyber threat group, has launched phishing campaigns leveraging Russian sender addresses and Mail.ru domains, such as mail.ru and inbox.ru. These campaigns often impersonate financial institutions or cloud storage services like Naver MYBOX to steal credentials.

The group has used compromised email servers, such as one belonging to Evangelia University, and tools like PHPMailer and Star to send phishing emails. These messages often create urgency, tricking users into clicking malicious links.

Kimsuky is known for advanced email spoofing and exploiting misconfigured DMARC policies to bypass security measures. Their aim is to gain credentials for hijacking accounts and conducting follow-on attacks against other targets.

‍