February 2026 APT Attack Trends Report (South Korea)

AhnLab observed a February 2026 domestic APT campaign that primarily used spear‑phishing LNK/CHM attachments to execute PowerShell or curl-based downloaders which retrieve malicious HTA/AutoIt payloads. The actors established persistence via Task Scheduler, deployed Infostealers, keyloggers, and a memory-resident backdoor to exfiltrate system and cryptocurrency-related data; the report includes sample filenames, MD5 hashes, URLs, and IP indicators.