A brand new wave of phishing assaults purporting to originate from South Korea’s Nationwide Tax Service has emerged, leveraging acquainted digital doc notifications to trick recipients into divulging their Naver credentials.
Distributed on August 25, 2025, the e-mail mimics the official format utilized by Naver’s safe doc service, displaying the sender as “Nationwide Tax Service” and warning that failure to view the “September Tax Return Cost Due Discover” by August 31 will end in different supply strategies.
The message conveys urgency and legitimacy by a believable topic line and formatting, however refined anomalies reveal its malicious intent.
Upon nearer inspection of the e-mail header, forensic evaluation reveals that the message was dispatched from Mail.ru infrastructure slightly than an official NTS server.
The return‐path is [email protected], and the sender IP 95.163.59.13 corresponds to send174.i.mail.ru. Regardless of passing SPF, DKIM, and DMARC checks, the e-mail’s ARC chain signifies the primary authenticated-received-chain step solely, with out organizational endorsement.
Kim Soo-Ki’s Nationwide Tax Service phishing electronic mail (Supply – Wezard4u Tistory)
Wezard4u Tistory analysts recognized that the absence of official NTS area information in DNS lookups is a transparent pink flag for cyber defenders and knowledgeable customers of those inconsistencies.
Embedded inside the physique of the e-mail is a hyperlink to hxxp://n-info.bill-nts.server-on.web/users2/?m=3Duggcfpercent3N…&[email protected], the place the “m” parameter conceals a percent-encoded and ROT13/Base64-mixed URL.
Decoding reveals a redirection to nid.naver.com, a fabricated login portal designed to reap credentials.
The malicious website replicates Naver’s login interface with exact styling, prompting customers to enter their username and password beneath the guise of viewing an official doc.
Phishing electronic mail header (Supply – Wezard4u Tistory)
JavaScript injected into the web page captures enter fields and posts them to a distant server managed by Kimsuky.
Detection Evasion Strategies
Kimsuky’s payload employs a number of evasion techniques to bypass automated filters and human scrutiny.
By fragmenting the redirect URL throughout percent-encoding, Base64, and ROT13 layers, the attackers obfuscate the true vacation spot of the hyperlink, complicating URL sample matching by safety gateways.
A simplified Python snippet illustrates the decoding course of found within the hyperlink evaluation:-
import urllib.parse, codecs, base64
raw_param = “uggcfpercent253Npercent252Spercent252Sznvy(.)anire(.)pbz”
decoded = urllib.parse.unquote(raw_param)
rot13 = codecs.decode(decoded, “rot_13”)
payload = base64.b64decode(rot13)
print(payload.decode())
This routine transforms the encoded string into nid.naver.com, confirming the phishing vacation spot.
Moreover, the e-mail depends on reputable Mail.ru TLSv1.3 encryption, making certain transmission encryption from the sender server to Naver’s mail gateway and additional lowering suspicion.
By combining header forgery, layered URL obfuscation, and lifelike UI replication, Kimsuky achieves a excessive success price in credential theft campaigns.
Cybersecurity groups ought to monitor for Mail.ru–origin site visitors masquerading with official domains and implement decoding routines to flag mixed-encoding URLs.
Enhance your SOC and assist your staff shield your enterprise with free top-notch risk intelligence: Request TI Lookup Premium Trial.
