A number of phishing attacks have been connected to Kimsuky, a threat actor associated with North Korea. Sending emails from Russian sender addresses is a component of the attacks. The ultimate objective of these attacks is to steal credentials, which may then be utilized to take control of victim accounts and use them to initiate additional attacks against coworkers or acquaintances.

The cyber actor was criticized by the US government earlier this year for using "improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts" It is noteworthy that in November 2021, enterprise security firm Proofpoint documented the threat actor's use of legitimate email tools like PHPMailer and Star. Since late April 2024, there have been reports of early waves using U.N., South Korean, and Japanese domains for sender addresses, as well as American, Korean, and Japanese domains. The threat actor used a PHP-based mailer service called Star to send the messages using a compromised email server owned by Evangelia University (evangelia[. ]edu).