Emerging Threats

ThreatLabz May 2022 Report: Annual phishing study finds over four-fold jump in phishing attacks in ‘21 for retail, Lazarus APT hits South Korea, AsyncRAT targets travelers, and PrivateLoader deep dive

May 27, 2022
ThreatLabz May 2022 Report

In April, ThreatLabz released a tome covering a full year’s worth of phishing data from the Zscaler cloud; correlated a campaign with Lazarus Group, a sophisticated North Korean APT operation; uncovered a remote access trojan, AsyncRat, targeting travelers visiting Thailand; and, examined the PrivateLoader downloader malware family.    

2022 Zscaler ThreatLabz State of Phishing Report

If you have not downloaded the industry report, now is a great time to do it. ThreatLabz examined a year’s worth of global phishing data from the Zscaler cloud to identify key trends, industries and geographies at risk, and emerging tactics. The result is 40 pages of findings, best practices, and guidance on how to better identify and protect yourself against phishing attacks. 

Phishing is increasingly used by adversaries who are getting craftier along with the new attackers joining their ranks due to pre-built phishing kits available on the darknet. Among the report findings, cybersecurity professionals in Singapore and Russia contended with a disproportionate onslaught of such attacks followed by France and the UK.     

"Phishing by industry"
Figure 1: Percent change in phishing attacks between 2020 and 2021 by industry

Key findings

  • Phishing attacks rose 29% in 2021 compared to 2020.
  • Microsoft, Telegram, Amazon, OneDrive, and Paypal topped the growing list of targeted brands.
  • The United States, Singapore, Germany, Netherlands, and the United Kingdom were the top five most targeted countries.
  • Retail and wholesale were the most targeted industries, experiencing the highest increase in phishing attacks at +436%.
  • “Phishing-as-a-service” has contributed greatly to the growth of phishing, offering a marketplace of pre-built tools that reduce technical barriers to entry for criminals.
  • Emerging phishing vectors such as SMS phishing are increasing faster than phishing overall as end users become more wary of suspicious emails.
  • Attackers continue to capitalize on the news cycle. COVID-19 and crypto-themed phishing attacks were prevalent throughout 2021.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read more about the 2022 ThreatLabz Phishing Report 

Lazarus Group APT targets South Koreans 

ThreatLabz recently attributed with a high-confidence level a sophisticated campaign with evolving TTPs that reused critical parts of infrastructure known to be connected with the Lazarus Group, a cybercrime group run by the North Korean state. The team shared the technical details of the attack chains and how they correlated the threat actor to Lazarus.

"Attack Flow"
Figure 2. Three unique attack chains used email to distribute malware 


ThreatLabz discovered that at least one of the IP addresses (222.112.127[.]9) used by the threat actor to log in to the attacker-controlled Dropbox accounts was also used to send spear phishing emails to the victims in South Korea. Spear phishing emails leveraged social engineering tricks such as clicking on password-protected files themed around cryptocurrency investments. By correlating C2 IP addresses, attacker-controlled Dropbox accounts’ registrant email addresses, C2 domains’ registrant email addresses, and other data points, the team concluded that the attack chains were connected to the Lazarus threat actor. 

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Learn more about Lazarus APT, including a threat attribution analysis

AsyncRAT Trojan ruins travel plans for Thailand Pass 

Travel doesn’t always go as planned, especially for victims duped by a spoofed version of the Thailand Pass website. In April, ThreatLabz discovered a malware campaign targeting users applying for Thailand travel passes. Many of the attacks concluded with the payload AsyncRAT, a remote access trojan that can remotely monitor and control other computers through a secure, encrypted connection. The flowchart below depicts the complete execution of the malware campaign:

Figure 3. Thailand Pass campaign delivering AsyncRAT.


The ThreatLabz team provides a deep analysis of the malware campaign related to the attacks including malicious URLs, ISO files, the content of the vbs file, compromised AV service, payload execution, and more. 

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read more about Thailand Pass and AsyncRAT

PrivateLoader an active distributor for crimeware and malware families

PrivateLoader is a downloader malware family whose primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malware distribution service. Last month, ThreatLabz team shared technical analysis of the PrivateLoader and how it’s being leveraged by multiple threat actors to “distribute ransomware, information stealers, banking trojans, downloaders, and other commodity malware.”


"Zscaler Cloud Sandbox"
Figure 4: Zscaler Advanced Cloud Sandbox blocking an in-the-wild PrivateLoader payload


Expect PrivateLoader to be updated with new features and functionality to evade detection and effectively deliver second-stage malware payloads.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Learn more about PrivateLoader

About ThreatLabz

ThreatLabZ is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next 

ThreatLabz April 2022 Report: Conti attacks, BlackGuard sells, Spring springs a leak, and FFDroider gets social

ThreatLabz March 2022 Report: Everything to know about the Okta breach, cyberattacks stemming from the Russia-Ukraine conflict

ThreatLabZ February 2022 Report: Molerats APT attacks, Formbook rebrands as Xloader, and repelling Log4j threats with Zero Trust