In August 2025 phishing-themed attachments accounted for 63% of threats, with actors using HTML scripts, embedded hyperlinks in documents, and compressed executables to harvest credentials or deliver malware. Exploit-based documents (CVE-2017-11882) deploying Purecrypter and ZIP-distributed PE files were observed, along with C2 communications and credential-stealing fake pages. #Purecrypter #CVE-2017-11882
Keypoints
- Phishing accounted for 63% of attachment-based threats in August 2025, often using HTML scripts to mimic legitimate login or promotional pages.
- Phishing campaigns embed hyperlinks in document and PDF attachments to redirect victims to attacker-controlled phishing websites.
- Exploit-laden document attachments abused the Equation Editor vulnerability CVE-2017-11882 to execute Purecrypter malware.
- Compressed archives (ZIP) increasingly contained PE executables (.exe) used to distribute malware via phishing emails.
- Korean-language phishing emails were observed; report lists common subject lines and attachment filenames to aid detection.
- The report provides six-month distribution trends and attachment-extension statistics to track evolving phishing tactics.
- Additional technical details such as C2 addresses, full email bodies, and deeper analysis are available in the original ATIP report and ATIP Notes.
MITRE Techniques
- [T1204 ] User Execution – Phishing attachments (documents, scripts, compressed executables) rely on users opening files or enabling content to trigger credential theft or malware execution. Quote: ‘Users are then prompted to enter their account credentials, which are then sent to the threat actor’s C2 server or used to redirect the victims to fake websites.’
- [T1566 ] Phishing – Attackers use HTML scripts and embedded hyperlinks in documents and PDFs to create fake login/promotional pages and redirect victims to phishing websites. Quote: ‘Threat actors used scripts such as HTML to mimic the screen layout, logo, and font of legitimate login pages and promotional pages.’
- [T1203 ] Exploitation for Client Execution – Documents exploited the Equation Editor vulnerability (CVE-2017-11882) to execute Purecrypter. Quote: ‘When the document file is executed, the Purecrypter malware is executed through the Equation Editor EQNEDT32.EXE vulnerability (CVE-2017-11882).’
- [T1105 ] Ingress Tool Transfer – Compressed ZIP archives delivered PE files (.exe) that are extracted and executed on victim hosts. Quote: ‘cases of PE files (.exe) being compressed in ZIP and distributed through phishing emails are also increasing.’
- [T1071 ] Application Layer Protocol – Stolen credentials and malware communicate with command-and-control servers (C2) to exfiltrate data or receive commands. Quote: ‘account credentials… are then sent to the threat actor’s C2 server’
Indicators of Compromise
- [File Hash ] MD5 hashes of malware samples observed – 02b1c04c215d6a9a0568a25e95e14d90, 0f3abc5fbbb1bc8173070c0a2caf633f, and 3 more hashes.
- [Vulnerability ] Exploit targeting – CVE-2017-11882 used in malicious documents to deploy Purecrypter.
- [File Type / Name ] Attachment types and filenames used in campaigns – Document attachments exploiting Equation Editor (e.g., EQNEDT32.EXE pathway) and ZIP archives containing .exe files (examples described in report).
Read more: https://asec.ahnlab.com/en/90158/