The December 2025 ATIP phishing email trend report found phishing accounted for 91% of threats, with attackers using HTML scripts, embedded hyperlinks, and attachments to harvest credentials and distribute malware. Document attachments delivered Remcos RAT via embedded download links and EXE files compressed in RAR archives were increasingly observed in phishing emails. #Remcos #ATIP
Keypoints
- Phishing comprised 91% of phishing-email threats in December 2025.
- Attackers used HTML scripts to mimic login and advertising pages to prompt credential entry.
- Hyperlinks embedded in documents (e.g., PDFs) redirected users to phishing websites.
- Remcos RAT was distributed via Document attachments that contained download links to additional malware (C2).
- There was an increase in EXE files compressed in RAR archives being delivered as phishing email attachments.
- The report includes distribution data by attachment extension, Korean-language sample listings, and MD5 hashes; full details are in the original ATIP report.
MITRE Techniques
- [T1566 ] Phishing β Attackers sent deceptive emails to harvest credentials and deliver malware (βIn December 2025, the most common type of threat among phishing emails was phishing (91%).β)
- [T1566.002 ] Phishing: Link β Hyperlinks were inserted into documents to direct users to phishing websites (βThis type of phishing also involves inserting hyperlinks into documents such as PDFs to direct users to phishing websites created by threat actors.β)
- [T1566.001 ] Phishing: Attachment β Phishing pages and malware were distributed as attachments, including Script and Document formats (βThis month, not only were phishing pages (FakePage) attached in Script format, but Remcos RAT malware was also distributed via phishing emails using Document attachments.β)
- [T1204 ] User Execution β Users executing document files triggered internal hyperlinks that downloaded additional malware (βWhen the document file is executed, a hyperlink that downloads additional malware (C2) is present internally.β)
- [T1105 ] Ingress Tool Transfer β Documents and hyperlinks were used to download additional malware (C2) to victim systems (βWhen the document file is executed, a hyperlink that downloads additional malware (C2) is present internally.β)
- [T1071 ] Application Layer Protocol β Stolen credentials and malware communications were sent to a command-and-control server (βaccount credentials, which were then sent to the threat actorβs C2 serverβ)
Indicators of Compromise
- [MD5 ] list of malware samples analyzed β 04d09be433851b99f455030c4c2dcaab, 0d20c89f08e061f9883cc159d92ee52b, and 3 more hashes
- [Attachment types ] formats used to deliver attacks β Script (FakePage), Document (Remcos RAT via embedded download link), Compress (RAR containing EXE)
- [Hyperlinks / URLs ] used to redirect victims and download malware β used in PDFs/documents to direct users to phishing sites and to download C2 payloads (no specific URLs provided)
- [Korean-language email subjects/attachment names ] partial listings provided for keyword identification β report notes distribution of Korean-language samples (specific subject lines/filenames not reproduced in summary)
- [C2 addresses ] referenced as destinations for credentials and malware callbacks β C2 address information referenced for cases (no explicit C2 addresses included in this summary)
Read more: https://asec.ahnlab.com/en/91944/