April 2026 Threat Trend Report on APT Attacks (South Korea)

ahnLab observed an APT campaign in Korea (April 2026) that used spear-phishing to distribute LNK-embedded PowerShell/HEX loaders, curl-based downloaders, AutoIt scripts, HTA loaders, VBS/BAT/Python backdoors and infostealers. Attackers achieved persistence via Task Scheduler, used PubNub and GitHub/Drive-hosted artifacts for C2 and payload delivery, and exfiltrated system and credential-related data; the report lists MD5 hashes, malicious URLs, detection names, and recommends patching and caution with email attachments.