Russian email addresses are used by North Korean Kimsuky hackers to commit credential theft attacks.

Kimsuky, a threat actor associated with North Korea, has been implicated in a number of phishing attacks that use email messages sent from Russian sender addresses in order to steal credentials."Until early September," the South Korean cybersecurity firm Genians stated, "phishing emails were sent mainly through email services in Japan and Korea." "Then, from mid-September, some phishing emails disguised as if they were sent from Russia were observed."

Russian email addresses are used by North Korean Kimsuky hackers to commit credential theft attacks.

Kimsuky, a threat actor associated with North Korea, has been implicated in a number of phishing attacks that use email messages sent from Russian sender addresses in order to steal credentials."Until early September," the South Korean cybersecurity firm Genians stated, "phishing emails were sent mainly through email services in Japan and Korea." "Then, from mid-September, some phishing emails disguised as if they were sent from Russia were observed."

VK's Mail.ru email service, which offers five distinct alias domains—mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru—is being abused in this way. According to Genians, the Kimsuky actors have been using all of the sender domains described above for phishing attempts that pose as online portals and financial organizations, such as Naver.

Messages imitating Naver's MYBOX cloud storage service have been used in other phishing attempts to fool users into clicking on links by creating a false feeling of urgency that dangerous files have been found in their accounts and that they must be removed. Phishing emails with a MYBOX theme have been observed since late April 2024; the initial waves used sender addresses from South Korea, Japan, and the United States.

Attacks by North Korean Kimsuky Hackers on Credential Theft Although it was claimed that these messages were sent from domains like "mmbox[.]ru" and "ncloud[.]ru," additional investigation has shown that the threat actor used a compromised Evangelia University email server (evangelia[.]edu) to send the messages using a PHP-based mailer service called Star.

It's important to note that enterprise security company Proofpoint already confirmed Kimsuky's use of reputable email technologies like PHPMailer and Star in November 2021. According to Genians, the ultimate objective of these assaults is credential theft, which may be used to take over victim accounts and use them to start subsequent attacks on other coworkers or friends.

Kimsuky has demonstrated throughout the years that he is skilled at running email-focused social engineering campaigns, using methods to impersonate email senders to make them seem like they are from reliable sources in order to get beyond security checks. For using "inappropriately configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts," the cyber attacker was criticized by the U.S. authorities earlier this year.