Threat Research

April 2026 Phishing Email Trends Report

Ahnlab
April 2026 Phishing Email Trends Report

Keypoints

  • Trojan attachments were the most common threat type at 47% and were often disguised with double extensions or legitimate-looking filenames.
  • Phishing was the second most common category at 39%, with HTML pages designed to mimic login or advertising pages.
  • Attackers used PDF documents with embedded hyperlinks to redirect victims to phishing sites and collect credentials.
  • Downloader files accounted for 10% and were used to fetch additional malware from C2 servers after execution.
  • FakePage activity increased over a six-month basis, while script-type malware declined and Trojans slightly increased.
  • Campaigns impersonated entities such as the Ministry of Unification, Yujin Technology, and Hyundai E&F to lure victims into opening attachments or entering credentials.
  • The article lists many malicious attachment names, C2 endpoints, email-related artifacts, and a top-30 set of MD5 hashes tied to the collected samples.

MITRE Techniques

  • [T1036 ] Masquerading – Used fake or legitimate-looking filenames and double extensions to deceive users into opening malicious files. (‘disguising itself with a double extension or a legitimate file name’)
  • [T1566.001 ] Phishing: Spearphishing Attachment – Delivered malicious content through email attachments such as HTML, PDF, DOCX, and archives. (‘phishing email attachments’)
  • [T1566.002 ] Phishing: Spearphishing Link – Embedded hyperlinks in documents to send victims to phishing sites. (‘inserting hyperlinks into PDF documents to lead to phishing sites’)
  • [T1189 ] Drive-by Compromise – Used phishing pages that mimicked login or advertising pages to capture entered credentials. (‘HTML scripts mimic login pages or advertising pages’)
  • [T1056.001 ] Input Capture: Keylogging – Stolen login information entered on fake pages was captured and leaked to attacker infrastructure. (‘login information was leaked’)
  • [T1105 ] Ingress Tool Transfer – Downloaded additional malware from the C2 server after the initial payload executed. (‘downloaded additional malware from the C2 server after execution’)
  • [T1204.002 ] User Execution: Malicious File – Relied on the user opening attachments or clicking links to trigger infection. (‘trick the user into executing it’)

Indicators of Compromise

  • [File hashes (MD5)] Malicious samples with highest detection counts – 38c62aa85d5a56e30a51dea42ab25b6d, e8e8d8a3f9a9e92282b1a2b660843a4a, and 2461f930c410d16f2baa5ce89981a618
  • [File names] Malicious attachments and lures – NTSeTaxInvoice.html, AWB-Ref#01047933.pdf.html, and DOC122812.pdf
  • [File names] More attachment examples – FB190937040108012PINQ2026043.Html, DISBURSEMENT FORM.htm, and Invoice & BL.html
  • [Domains / URLs] C2 and phishing infrastructure – www.seety.it/crinity/unikorea.go.kr/save[.]php, fkp.su/Page/info[.]php
  • [Email server / credentials] Mail server and email artifacts used in the campaign – hosting2.ro.hostsailor[.]com:587, sales@rollmann[.]in, and zamanic62@gmail[.]com

Read more: https://asec.ahnlab.com/en/93706/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint