Darkweb Malware Phishing/Scam Trend

Security Issues in the Korean & Global Financial Sector in May 2026

Statistics on Malware Distributed to the Financial Sector

In Attack Stage 1 targeting the financial sector in May 2026, phishing had the highest score at 2.3. This is the highest figure since December 2025, indicating that Initial Breach attempts are increasingly centered on phishing.
In Attack Stage 2, Dropper/Downloader had the highest rate at 1.4, while the backdoor also increased to 1.0 from 0.5 the previous month.
In the third stage of attacks, Infostealers were the most prevalent at 0.3, while Ransomware and CoinMiners stood at 0.2 and 0.1, respectively.
For each type, phishing accounted for the largest share at 38.0%; the top three types—phishing, downloader (17.6%), and backdoor (16.7%)—combined to account for approximately 72% of the total.
HTML (23.8%), PDF (13.0%), and XLS (7.1%) stood out among malicious attachments, with threats concentrated on a small number of file extensions such as html (25.0%), PDF (14.2%), JS (9.4%), and XLS (8.5%)—a small number of file extensions—were the primary targets of these threats.
A large number of script-based extensions—such as js, hta, vbs, bat, ps1, and cmd—were identified, indicating active script execution and exploitation of LOLBins.

Information on domestic accounts leaked to threat actors through the Telegram API was confirmed.
Cases were described in which account information collected through malware infections and phishing emails was leaked to Telegram chat rooms.
During May, the quantity of domestic financial sector accounts leaked via Telegram accounted for 3% of the total.

Database leaks have emerged as a major form of cybercrime.
Leaked data can be used as a foundation for identity theft, targeted phishing attacks, and ransomware attacks.

In a case involving icbc.com.cn, data from the Industrial and Commercial Bank of China was sold on Hasan’s BreachForums. JAX7 claimed to have leaked ID numbers, social credit codes, and bank account information.
In the case involving bb.com.br, data from Banco do Brasil S.A. was sold on Hasan’s BreachForums. Xyph0rix explained that the data included personal information such as names, email addresses, addresses, and phone numbers, as well as financial information.
In the allianz.com incident, internal Docker images from Allianz SE were shared on PwnForums. hackformetome claimed to have released approximately 500 Docker images, totaling about 40GB of Data.

Ransomware has emerged as a major attack vector threatening the financial sector.
The “double extortion” strategy—where attackers threaten to leak data after stealing it—was mentioned.

Everest posted details of the tsys.com breach on DLS (Dedicated Leak Sites). It claimed the data included archives collected from the TSYS client environment, as well as various technical and operational data.
Everest also posted details of the fiserv.com breach. It claimed the data included bank statement PDFs, configuration files, logs, account files, and check images.
APT73 (Eraleig) claimed to have obtained approximately 10,000 files, including internal documents and financial reports related to grupopetersen.com.ar.

Cases of selling access credentials to corporate accounts are on the rise.
On Hasan’s BreachForums, GlobalProtect VPN administrator access credentials for a financial institution under Indonesia’s Ministry of State-Owned Enterprises were put up for sale.

Credit card data breaches have emerged as a key method of financial crime.
Stolen card information can be exploited for secondary crimes such as unauthorized transactions, counterfeit card production, and identity theft.

Credit card databases related to synchrony.com and capitalone.com were sold on DarkForums.
LeakBase claimed the database contained approximately 500,000 credit card records, including card numbers, CVV codes, expiration dates, and SSNs.
As of now, it has not been confirmed whether an actual breach occurred or if the data is authentic.