{ "Event": { "analysis": "1", "date": "2026-04-22", "extends_uuid": "", "info": "[Threat Intel] March 2026 Phishing Email Trends Report", "protected": false, "publish_timestamp": "1779544355", "published": true, "threat_level_id": "3", "timestamp": "1779544354", "uuid": "3ea9b15f-370f-4a51-be7f-f77dfaf19ec0", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#bb889f", "local": false, "name": "misp-galaxy:producer=\"AhnLab\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#177fb7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1218.011\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#110e53", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#e1210d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#e2a873", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steganography - T1027.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Agent Tesla\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Remcos\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"South Korea\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776855623", "to_ids": false, "type": "link", "uuid": "31de3cd9-c75e-444d-ac16-853f5335b6d6", "value": "https://asec.ahnlab.com/en/93465/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776855623", "to_ids": false, "type": "text", "uuid": "aa0158fd-0645-41ff-b485-7b26891d309a", "value": "In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776855623", "to_ids": false, "type": "text", "uuid": "67e32d05-56ad-4ab9-9129-7d1fbbb8be0a", "value": "Name: March 2026 Phishing Email Trends Report\nAuthor: AlienVault\nAdversary: \nTags: [\"agenttesla\", \"phishing email\", \"trojan campaigns\", \"fake invoices\", \"remcosrat\", \"script-based attacks\", \"credential theft\", \"html phishing\"]\nTgtd countries: []\nMlwr families: [\"AgentTesla\", \"RemcosRAT\"]\nAttack_ids: [\"T1218.011\", \"T1056.001\", \"T1059.007\", \"T1114\", \"T1071.004\", \"T1204.002\", \"T1566.002\", \"T1566.001\", \"T1106\", \"T1140\", \"T1553.005\", \"T1041\", \"T1566\", \"T1573\", \"T1027.003\", \"T1071.001\", \"T1059.005\", \"T1105\", \"T1204.001\"]\nIndustries: [\"Finance\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215445", "to_ids": true, "type": "hostname", "uuid": "6d54c69e-1121-4fc7-be85-2a9a4a64d9af", "value": "controller.airdns.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544349", "to_ids": true, "type": "md5", "uuid": "fb63a528-301e-4682-906f-eeeb4330033e", "value": "06dc18771404694814d6a430bb65d1a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544351", "to_ids": true, "type": "md5", "uuid": "fa16f321-cc41-4ed5-adf3-6849591d9bf1", "value": "0a18f61e8d8e9873cdda4b3b6785d7ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544352", "to_ids": true, "type": "md5", "uuid": "1f2cc563-980d-4aea-b766-6fd2718b99d7", "value": "0d15bf48b73de307eff29f07a6e6d55b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544354", "to_ids": true, "type": "md5", "uuid": "1110c7ca-9156-4964-81be-fc63915720db", "value": "0e9bd0c9991b21b13eddb518dee0eecf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215466", "to_ids": true, "type": "hostname", "uuid": "6d7ee07a-d08d-49ed-8b4e-54441ae4b2af", "value": "ccp11nl.hyperhost.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544347", "uuid": "5c490c6a-ef29-4296-aa9a-e5d7b3942c45", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544346", "to_ids": true, "type": "md5", "uuid": "e9987815-e1d8-4885-98ec-bdd4d7c6fd6b", "value": "0a15c9a545fbf78d77f8c130a3b0f840", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544347", "to_ids": true, "type": "sha1", "uuid": "3dae37a3-5266-45e4-90f8-d365b2f72f39", "value": "9fca32bd6290f57fd40781c1320d28e9d4b924ee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544347", "to_ids": true, "type": "sha256", "uuid": "da3caa6d-738c-4332-8082-0bbb301dfd77", "value": "18953b6fae75aeaa8c7d04239771c4a36a07bbf16a6dd2beb51d9dc01292b097", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213137", "to_ids": true, "type": "ssdeep", "uuid": "330f87ee-305c-4f67-a321-80c1d849ae73", "value": "3072:aZRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR//nnnVPYo7sQ6PJVmwfoDsxFScc8i:az/nnn7+lfrtFi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213137", "to_ids": false, "type": "size-in-bytes", "uuid": "42a23f71-78f9-4f90-a273-701f8da05db5", "value": "105235" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213137", "to_ids": true, "type": "vhash", "uuid": "bcbe3ab0-bd83-43da-988e-858af3681c5d", "value": "96cbf61c36f54838017da7ee1ef2fc080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213137", "to_ids": true, "type": "filename", "uuid": "1bdf698e-a7df-4a7b-884b-8ac7e06a7d1b", "value": "Compensation Adjustment Notice.pdf" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213137", "to_ids": false, "type": "text", "uuid": "af292bb6-ba92-44e5-9b76-0ca322c10409", "value": "Type Description: PDF\nMicrosoft: None\nVT Total Detection:9/63\nFirst Submission:2026-03-20T12:56:51.000000+00:00\nLast Submission:2026-03-31T11:56:32.000000+00:00" } ] } ] } }