Researchers discovered a potential North Korean phishing campaign targeting Naver, a major South Korean tech platform. The investigation revealed an exposed directory containing phishing pages designed to steal Naver user credentials. Separately, an infrastructure cluster was identified using domains and certificates impersonating Apple. Both findings align with tactics commonly associated with DPRK cyber operations. The phishing server, hosted in Seoul, contained multiple folders with files for credential theft. Additionally, a cluster of IPs across various countries was found sharing TLS certificates and domains spoofing Apple. The use of low-cost domains, Let's Encrypt certificates, and frequent infrastructure changes are consistent with known DPRK threat actor behaviors.