October 2025 Trends Report on Phishing Emails
This report provides the statistics, trends, and case information on the distribution of phishing emails and attachment-based threats collected and analyzed for one month in October 2025. Below is a portion of the statistics and cases included in the original report.
1) Statistics of Phishing Email Threats
In October 2025, the most common type of threat among phishing email attachments was Trojans (47%). These are malware that prompt users to execute them by using a double extension or a file name that appears normal.
Figure 1. Phishing email threat statistics
Furthermore, data on the distribution changes of samples by category over the past six months is also provided, reflecting the recent trends in threats posed by phishing emails. Additionally, statistics on the extensions of attachments found in phishing emails are available, allowing users to gain insights into the file formats used in phishing emails. Users can refer to the original ATIP report to check these statistics. These statistics are not covered in this summary.
2) Distribution of Korean phishing emails
Cases that involve Korean text in the email body are classified as Korean. The table below shows the case name, email subject, and attachment file name of each sample. This information can help users identify the frequently used keyword information in phishing email threats.
Figure 2. Some of the phishing emails in Korean
3) Analysis of Phishing Email Distribution Cases
A representative case of each attachment format (Script, Document, Compress) has been analyzed. Through this, users can check the phishing email attack cases that actually occurred this month. This month, there have been phishing emails distributing a phishing page and Remcos RAT malware using a document attachment. When the document file is executed, an OLE object inside the file downloads additional malware, and when this malware is executed, the Remcos RAT malware is run. There has also been an increase in cases where JS files are compressed in RAR and distributed as phishing emails. Additional information such as the C2 URL and analysis information, as well as the body of the phishing email that distributed the malware, can be found in the original ATIP report and ATIP Notes.
Figure 3. Malware distributed as an attachment in Document format
Figure 4. Malware distributed as an attachment in Compress format
This post has shared some of the October 2025 Phishing Email Trends Report. The full ATIP report includes additional information such as the recent distribution trends of phishing (FakePage) and malware, statistics on the distribution of attachments by file extension, and analysis of actual phishing email attacks.
