{"id":6485,"date":"2025-09-09T14:01:18","date_gmt":"2025-09-09T14:01:18","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=6485"},"modified":"2025-09-09T14:01:18","modified_gmt":"2025-09-09T14:01:18","slug":"kimusky-hackers-masquerade-as-tax-authority-with-september-tax-return-due-date-electronic-mail","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=6485","title":{"rendered":"Kimusky Hackers Masquerade as Tax Authority with \u2018September Tax Return Due Date\u2019 Electronic mail"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>South Korean web customers are being focused by a complicated phishing marketing campaign attributed to the North Korean menace actor often known as Kimsuky. <\/p>\n<p>The malicious emails, masquerading as official notices from the Nationwide Tax Service (NTS), inform recipients of a \u201cSeptember Tax Return Cost Due Discover\u201d and urge them to click on a hyperlink to view an digital doc. <\/p>\n<p>Safety analysts<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/wezard4u.tistory.com\/429590\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"> observe<\/a> that the attackers are using personalised info to lend credibility to the emails, posing a severe danger to Naver account holders.<\/p>\n<p>The phishing electronic mail\u2019s topic line explicitly references the NTS and a fee deadline: \u201cSeptember Tax Return Cost Due Discover (Verification Deadline: August 31, 2025, 11:59 PM).\u201d The physique textual content states: \u201cA brand new digital doc has arrived. <\/p>\n<p>Please test it now.\u201d Whereas the e-mail claims to originate from the NTS, the true sending infrastructure resides on the Mail(.ru) community, indicating a compromised or rented server useful resource outdoors <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/1502-2\/\" target=\"_blank\" rel=\"noreferrer noopener\">South Korea<\/a>. Detailed header evaluation reveals:<\/p>\n<ul class=\"wp-block-list\">\n<li>Return-Path and Envelope-From fields are set to schimmel2025@record[.]ru.<\/li>\n<li>Sender server hostnames embody send174(.)j.mail(.)ru \u2192 95[.]163[.]59[.]13, which differ from reliable NTS mail servers.<\/li>\n<li>SPF checks move for the ru area, DKIM signatures validate utilizing mail4 selector, and DMARC coverage p=REJECT is honored, demonstrating the mail was transmitted by means of Mail(.ru) infrastructure quite than spoofed on the community layer.<\/li>\n<li>ARC headers present the message passing by means of an authenticated chain with no anomalies on the first ARC step.<\/li>\n<\/ul>\n<p>Time\u2010zone discrepancies additionally expose the marketing campaign\u2019s origin. Naver obtained the e-mail at 16:00:44 UTC on August 25, 2025, whereas the sender\u2019s server logged dispatch at 19:00:40 +03:00. <\/p>\n<p>In Korean time (UTC+9), the mail header timestamp reads August 26, 2025, 01:00:36, aligning with the Moscow time zone quite than Seoul. These particulars verify the e-mail\u2019s passage by means of worldwide infrastructure and flag it as illegitimate.<\/p>\n<h2 class=\"wp-block-heading\" id=\"phishing-link-analysis-and-indicators-of-compromis\"><strong>Phishing Hyperlink Evaluation <\/strong><\/h2>\n<p>The area server-on[.]internet has no affiliation with the NTS. An evaluation of the URL\u2019s question string reveals a p.c\u2010encoded parameter (m=worth) combining Base64 and ROT13 encodings, which, when partially decoded, reveals \u201canire(.)pbz-ROT13-?nid(.)naver(.)com\u201d to embed the recipient\u2019s precise electronic mail handle. <\/p>\n<p>This personalised token signifies focused phishing quite than broad spam blasts.<\/p>\n<p>The desk under summarizes the important thing indicators of compromise (IOCs):<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Indicator Kind<\/th>\n<th>Worth<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Sender Electronic mail Handle<\/td>\n<td>schimmel2025@record[.]ru<\/td>\n<\/tr>\n<tr>\n<td>Sender IP<\/td>\n<td>95[.]163[.]59[.]13<\/td>\n<\/tr>\n<tr>\n<td>Sender Mail Server Hostnames<\/td>\n<td>send174(.)j.mail(.)ru \u2192 95[.]163[.]59[.]13<\/td>\n<\/tr>\n<tr>\n<td>Phishing Area<\/td>\n<td>n-info[.]bill-nts[.]server-on[.]internet<\/td>\n<\/tr>\n<tr>\n<td>Question Parameter Encoding<\/td>\n<td>P.c-encoded + Base64\/ROT13 combination<\/td>\n<\/tr>\n<tr>\n<td>Embedded Recipient Identifier<\/td>\n<td>???@naver[.]com<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Victims who click on the hyperlink are prompted to log in with Naver <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/azure-ad-vulnerability-leaks-credentials\/\" target=\"_blank\" rel=\"noreferrer noopener\">credentials<\/a>, that are then harvested by the attackers. <\/p>\n<p>The personalised nature of the question string makes it tough for automated defenses to detect the phishing URL as malicious, underscoring the significance of cautious handbook verification.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-best-practices\"><strong>Mitigations <\/strong><\/h2>\n<p>Customers ought to by no means click on hyperlinks in unsolicited emails, even when they seem to return from trusted authorities businesses. <\/p>\n<p>As an alternative, navigate on to the official Nationwide <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/14-hackers-arrested-in-massive-tax-fraud-scheme\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tax Service<\/a> web site or official Naver digital doc portal. Confirm the sender\u2019s electronic mail handle by analyzing the envelope-from fields within the mail headers. <\/p>\n<p>Organizations dealing with delicate person knowledge ought to implement URL\u2010sandboxing defenses and deploy machine\u2010studying menace detection to flag unusual area patterns and complex encoding in URLs.<\/p>\n<p>By remaining vigilant in opposition to rigorously crafted phishing lures just like the \u201cSeptember Tax Return Due Date Discover,\u201d people and enterprises can higher defend in opposition to credential theft campaigns perpetrated by superior persistent menace teams equivalent to Kimsuky. <\/p>\n<p>Steady safety consciousness coaching, mixed with sturdy electronic mail filtering and header evaluation, will assist thwart these focused intrusions earlier than they compromise person accounts.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(135deg,rgb(238,238,238) 100%,rgb(169,184,195) 100%)\"><strong>Discover this Story Attention-grabbing! Comply with us on\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>\u00a0and\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get Extra Prompt Updates<\/strong>.<\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>South Korean web customers are being focused by a complicated phishing marketing campaign attributed to the North Korean menace actor often known as Kimsuky. The malicious emails, masquerading as official notices from the Nationwide Tax Service (NTS), inform recipients of a \u201cSeptember Tax Return Cost Due Discover\u201d and urge them to click on a hyperlink [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":6487,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[5254,1379,5255,578,554,5252,5253,1372,3073,3932],"class_list":["post-6485","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-authority","tag-date","tag-due","tag-email","tag-hackers","tag-kimusky","tag-masquerade","tag-return","tag-september","tag-tax"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6485"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6485\/revisions"}],"predecessor-version":[{"id":6486,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6485\/revisions\/6486"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/6487"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69d9690a190636c2e0989534. Config Timestamp: 2026-04-10 21:18:02 UTC, Cached Timestamp: 2026-06-13 15:20:51 UTC -->