Statistics on Attachment Threats Types

---

• in February 2026, the highest percentage of phishing email attachment threats is FakePage (42%).
• threat actors sophisticatedly mimic login pages and advertisement pages with HTML and other scripts to trick users into entering data and sending it to a C2 server or to a fake site.
• another popular method is to embed hyperlinks in documents (such as PDFs) to lead to phishing sites.

Attachment file extension statistics

---

• attachment formats are categorized as Script, Document, Compress, etc.
• this month, malware distribution through JS execution inside double compression (Compress) was confirmed along with Script-based FakePage.
• when executing JS inside a compressed file, it was observed that it was injected into the legitimate process Aspnet_compiler.exe and finally executed Remcos RAT.

List of phishing emails distributed in Korean

---

• samples of phishing emails written in Korean have been categorized separately and some of the subject lines and attachment names have been made public.
• through the published samples, frequently used Korean keywords and social engineering phrase patterns can be identified.
• the Korean-language targeting suggests the persistence of phishing activity targeting domestic users and organizations.

Indicators of Compromise (IoC)

---

• key indicators observed include C2 addresses, JS files in compressed files, fake page HTML files, and malicious hyperlinks in PDFs.
• aspnet_compiler.exe and its final payload, Remcos RAT, were identified as malicious process injection targets.
• detailed domain, IP, file name patterns, and other IoC information is available in the full ATIP report and ATIP Notes.

MD5

04f4537b1f73eeacae2eb8faf7cbf993

074a9624ec5680cbd230315076222430

15c4ae18d069174186fc03a61c2b51e5

1aa04f395aaa12484b509fa3f1731bcb

1f8715d769b879769fa4c65a2c9a9467