Answer Brief
In April 2026, Trojan malware accounted for 47% of phishing email attachments in South Korea, followed by phishing payloads at 39%, according to ASEC analysis. Attackers used social engineering lures like fake tax invoices and logistics notifications, with Trojans often delivered via double-extension files and phishing via HTML spoofs. The share of phishing malware rose from 21% to 39% month-over-month.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
ASEC publishes April 2026 phishing email attachment threat report
- 2
Previous month: phishing malware share at 21%, FakePage at 0.7p
- 3
Source published by ASEC (AhnLab Security Emergency Response Center)
Executive Summary: In April 2026, Trojan malware accounted for 47% of phishing email attachments in South Korea, followed by phishing payloads at 39%, according to ASEC analysis. Attackers used social engineering lures like fake tax invoices and logistics notifications, with Trojans often delivered via double-extension files and phishing via HTML spoofs. The share of phishing malware rose from 21% to 39% month-over-month.
Why It Matters
The ASEC report highlights a clear shift in phishing email tactics targeting South Korean users in April 2026, with Trojan malware leading at 47% of observed threats in malicious attachments. These Trojans frequently used social engineering techniques such as double file extensions or mimicking legitimate document names to bypass user suspicion and execute payloads that install persistent malware. The high prevalence underscores the continued effectiveness of execution-based lures in Korean-language phishing campaigns, particularly when disguised as routine business or government communications.
Phishing payloads, designed to harvest credentials via fake login pages, rose sharply to 39% in April from 21% the prior month, indicating a tactical pivot toward credential theft. Attackers employed HTML and SHTML scripts to clone authentic login interfaces, often embedding them in attachments or using hyperlinks in PDFs to redirect victims to attacker-controlled sites. This increase suggests growing investment in infrastructure for harvesting credentials, possibly for use in downstream account compromise or business email compromise (BEC) schemes.
Technical Signal
The report notes specific lure themes used in Korean-language phishing emails, including fake electronic tax invoices (NTS eTaxInvoice.html), logistics notifications from DHL and FedEx, and impersonations of government bodies like the Ministry of Unification. One case involved a spoofed Ministry of Unification email urging platform upgrade authentication, leading to a FakePage that harvested credentials and exfiltrated them to a C2 server hosted at hxxps://www.seety.it/crinity/unikorea.go.kr/save[.]php. Another example impersonated a domestic manufacturer, ‘Yujin Technologys’, using a PDF lure to trigger credential theft and C2 communication via hxxps://fkp.su/Page/info[.]php.
In the compress category, attackers impersonated domestic energy firm ‘Hyundai E&F’ to distribute Quotation-themed ZIP or RAR files, prompting users to extract and execute malware. Post-infection, data was exfiltrated via a compromised mail server (hosting2.ro.hostsailor[.]com:587) using the sender address sales@rollmann[.]in and targeting zamanic62@gmail[.]com, demonstrating how trusted corporate brands are abused to facilitate data theft.
Operational Impact
Although Trojans remained dominant, the month-over-month rise in phishing malware share signals evolving attacker priorities. The increase in FakePage distribution (from 0.7p to 1.1p over six months) further supports a trend toward more sophisticated credential harvesting infrastructure. Meanwhile, script-based malware declined sharply, suggesting attackers may be shifting away from executable scripts in favor of less suspicious document or archive formats.
For defenders, the report emphasizes the need for attachment sandboxing, URL detonation, and user training focused on verifying unexpected invoices, logistics alerts, and government communications—especially those urging immediate action. Monitoring for C2 domains linked to known phishing kits and tracking spoofed brand usage in email headers can improve early detection. The use of legitimate-looking file names and extensions remains a key bypass technique, reinforcing the value of behavior-based detection over reliance on file type alone.
What To Watch
The important editorial point is that this is a South Korea threat-landscape signal, not a claim that the same campaign has already become a global incident. AhnLab ASEC is useful because it shows what local researchers are seeing in their own operating environment. English-language readers should treat that as first-hand regional situational awareness for local operations, subsidiaries, suppliers, managed service providers, partners, and strategic monitoring rather than as a universal incident alert.
For monitoring teams, the first task is to preserve the source boundaries. The source item is titled "2026년 4월 피싱 이메일 동향 보고서", so the article should keep the report's local scope clear while translating the tactics, tooling, affected surfaces, and observed pattern into English. That makes the item useful without overstating victim geography or implying broader impact that the source did not document.
The practical value comes from comparison against internal telemetry. Teams with exposure in South Korea can check whether help-desk tickets, endpoint alerts, mail gateway detections, identity anomalies, blocked downloads, command-line activity, scheduled tasks, or suspicious script execution resemble the behaviors described by the source. A match does not prove attribution, but it can justify deeper triage.
This kind of regional report also helps separate durable monitoring themes from one-off news. If similar malware families, delivery chains, file types, infrastructure choices, or attacker workflows appear across later South Korea sources, the signal becomes stronger. Nogosee should keep those links visible in the tracker so readers can see whether a local report remains isolated or becomes part of a broader pattern.
For government, logistics, manufacturing, energy, the safest next step is not to treat the article as incident-response advice. The useful action is to verify whether the organization has local exposure, identify which logs would show similar behavior, confirm that official source links are retained, and decide whether the report belongs in a watchlist, a detection backlog, or an executive regional-risk brief.
The uncertainty boundary should stay explicit. Public reports often describe observed techniques and malware names without proving every victim profile, infrastructure owner, or campaign objective. When the source does not establish those facts, the article should avoid filling the gap. That restraint is what makes the brief more useful than a generic rewrite: it gives readers a trustworthy map of what is known, what is merely plausible, and what needs direct verification.
Event Type: security
Importance: medium
Affected Sectors
- energy
- government
- logistics
- manufacturing
Key Numbers
- Trojan share in phishing email attachments: 47%
- Phishing payload share in phishing email attachments: 39%
- Downloader share in phishing email attachments: 10%
- Month-over-month increase in phishing malware share: from 21% to 39%
- FakePage malware distribution increase (6-month trend): from 0.7p to 1.1p
- Most common attachment type in Script category: HTML (11%)
Timeline
- ASEC publishes April 2026 phishing email attachment threat report
- Previous month: phishing malware share at 21%, FakePage at 0.7p
- Source published by ASEC (AhnLab Security Emergency Response Center)
Frequently Asked Questions
What was the most common threat type in phishing email attachments in South Korea in April 2026?
Trojan malware was the most common threat, accounting for 47% of phishing email attachments in April 2026, according to ASEC analysis. These often used double extensions or legitimate file names to trick users into execution.
How did phishing malware prevalence change from March to April 2026 in South Korea?
Phishing malware in email attachments increased significantly from 21% in March to 39% in April 2026, making it the second most prevalent threat after Trojans. This indicates a growing use of credential harvesting via fake login pages in Korean phishing campaigns.
Which industries or themes were commonly spoofed in Korean phishing emails in April 2026?
Phishing emails in South Korea during April 2026 spoofed electronic tax invoices, email account updates, DHL and FedEx logistics notices, new e-receipts, legislative announcements, cargo arrival alerts, payment confirmations, and urgent quotation requests, often targeting government, logistics, and corporate users.