April 2026 Phishing Email Trends Report
Statistics on Attachment Threat Types
in April 2026, the most common threat in phishing email attachments was Trojan (47%). this type was distributed by disguising itself with a double extension or a legitimate file name to trick the user into executing it and installing malware on the system. they continued to spread through multiple variants and social engineering techniques.
the second most common threat type was phishing (39%). HTML scripts mimic login pages or advertising pages to trick users into entering account information, which is then sent to the threat actor’s servers or redirected to a fake site. Techniques such as inserting hyperlinks into PDF documents to lead to phishing sites were also identified.
the third was the Downloader (10%), which downloaded additional malware from the C2 server after execution. other types identified were Dropper (2%), Infostealer (2%), Information Theft (2%), and Exploit (1%). compared to the previous month, the share of phishing malware increased significantly, from 21% to 39%, and overall, it was found to be distributed in large quantities.
Statistics on Attachment Extensions
In the Script category, HTML (11%) is the most common, followed by SHTML (4%). In the Compress category, ZIP (25%) was the most popular, followed by RAR (8%), 7Z (6%), GZ (3%), and TAR (2%). In the Document category, PDF (17%) was the most popular, followed by XLS (5%) and DOCX (4%).
on a six-month basis, FakePage (Malicious Files in the form of phishing pages) increased from 0.7p in March to 1.1p this month. on the other hand, Script-type malware saw a significant decrease in quantity distributed, while Trojans saw a slight increase. Dropper and Downloader decreased slightly, Compress remained unchanged, and Document decreased slightly.
List of phishing emails circulating in Korean
phishing emails were circulated under the subject lines of electronic tax invoice, email account update, DHL on-demand delivery, DHL Korea Shipment Confirmation, FedEx customs clearance notification, new electronic receipt, new bill arrival, import cargo arrival notice, payment completion notice, urgent quote request, unit price increase, etc. the attachments were identified as NTSeTaxInvoice.html, AWB-Ref#01047933.pdf.html, DOC122812.pdf, FB190937040108012PINQ2026043.Html, DISBURSEMENT FORM.htm, Invoice & BL.html, etc.
In the script-type case, it induced account authentication for email platform upgrade by impersonating the Ministry of Unification, and induced login information input on a phishing page (FakePage) when clicking the hyperlink. after the infection, login information was leaked and the C2 was presented as hxxps://www.seety.it/crinity/unikorea.go.kr/save[.]php.
In the Document type case, it impersonated a Korea manufacturing company “Yujin Technology” and induced users to open a PDF to check the unit price increase. after the infection, login information was leaked and the C2 was presented as hxxps://fkp.su/Page/info[.]php.
In the Compress type case, it impersonated “Hyundai E&F”, an oil company in Korea, and decompressed and executed a PDF to check a quote. after the infection, the information was leaked and the Mail Sever was identified as hosting2.ro.hostsailor[.]com:587, the ID as sales@rollmann[.]in, and the Email To as zamanic62@gmail[.]com.
Indicators of Compromise (IoC)
the top 30 MD5s with the highest detection quantity among the collected malicious files are presented. The MD5 list is 38c62aa85d5a56e30a51dea42ab25b6d, e8e8d8a3f9a9e92282b1a2b660843a4a, 3da94d43ee7e717cab61411a6bf3652c, 76ec5ed59228399e34a2cde4eb3b0086, 6a78b581d24c1594a17845beae5ee37f, a0eba195bef0cb949f8f5e7359e7595f, 5f071b58343cc80ef4f50dab25e4e87b, 97704db15c26e4ed3f565df0652798d2, fede3b9deac06b64a267ebfdb75fb411, a8f4ea5c0ea0c7aadc4fe409552a3d41, 4efb43640db69da9727cb345e8ec68fe, d33f0f332f520d0a877f336bef2aa30d, f1bb8c5346a0e54daac1bb46abfd67de, 2461f930c410d16f2baa5ce89981a618, a76143f9389210e654e7b6294018f1c7, 838ae48fb57ac075a6d12ef58fe73f08, fa96bcb49a84e456e1417a184b4d2c9c, a118185fa98992eb2a96bedd0e82fce1, 445dae0606ebe8d2f6a3039bc1de33fd, 6e31a9ef724fb32399ea7c4b3e2e2ff5, fc98754c49360bc180d94e0851d153e5, 7f3537d2da17230d6832419848bc192e, 72ff2c8bf509e2b5e07e19d431ef1759, 6aec2b4476bbd484050e882b8d15295b, 022ee27cd9682ad9163481c8475c2cf6, 0d94615194b814b339a4ff6624eca249, 6864f4e6ddd1a510bfc36a187c5cfa3c, 2d7006c5e2ed453c8161ade575818770, 32b14cf420cbbff0f9c9f6372d8e0aa3, cdc1e6cbf5b865d6129ef40e228f8fbe이다.
