September 2025 Trends Report on Phishing Emails
This report provides the statistics, trends, and case information on the distribution quantity, attachment-based threats, and phishing emails collected and analyzed for a month in September 2025. Below is a portion of the statistics and cases included in the original report.
1) Statistics of phishing email threats
In September 2025, the most common type of threat among phishing email attachments was trojans (27%). Trojans are malware that prompts users to execute them by using a double extension or a legitimate file name.
Figure 1. Phishing email threat statistics
In addition, data on the distribution changes of samples by category in the past six months are provided, reflecting the recent trends in threats posed by phishing emails. Statistics on the extensions of attachments found in phishing emails are also available, allowing users to identify the file formats used in phishing emails. Users can check these statistics in the original ATIP report.
2) Distribution of Korean emails
Cases that are written in Korean are classified as such, and the title and attachment file name information of the samples are partially disclosed. This allows users to identify the frequently used keyword information in phishing email threats.
Figure 2. Some of the phishing emails distributed in Korean
3) Analysis of phishing email distribution cases
The analysis examined notable cases for each attachment format (Script, Document, Compress), providing a glimpse of the actual phishing email attacks that occurred this month. In addition to phishing pages (FakePage) in the Script attachment format, GuLoader malware strains that use Document attachments were also distributed in phishing emails this month. When the document file is executed, an image is displayed that prompts the user to download additional malware. Once the malware is downloaded and executed, GuLoader is run. Furthermore, there has been a recent increase in cases involving phishing emails that distribute PE files (.exe) compressed in ZIP archives. For additional information such as the C2 address, analysis details, and the phishing email’s body that distributed the malware, please refer to the original ATIP report and ATIP Notes.
Figure 3. Malware distributed as an attachment in Document format
Figure 4. Malware distributed as an attachment in Compress format
This post reveals a part of the September 2025 Trends Report on Phishing Emails. The full ATIP report includes additional information such as the recent distribution trends of phishing (FakePage) and malware, statistics and distribution by attachment file extension, and analysis of actual phishing email attacks.
