Skip to main content
Author

Kahng An

Cyber Threat Intelligence Analyst II

Kahng An is a member of the Intelligence team at Cofense, specializing in malware analysis ranging from repurposed legitimate tools to novel, unanalyzed samples. Outside of active malware threat analysis, Kahng is also responsible for greater threat actor campaign trend analysis. Prior to threat intelligence work at Cofense, Kahng worked in incident response (primarily focusing on ransomware incident response and threat hunting) and performed malware analysis on ransomware encryptors and custom remote access trojans.

Articles By

Kahng An

6 posts

{{articles.featured.category.label}}
June 17, 2026

Elon Musk, the IRS, and Your Bank Account: Anatomy of a Multi-Stage Financial Scam

This report analyzes a sophisticated IRS-themed phishing campaign that uses Elon Musk and a fake “Dogecoin Initiative” to lure victims with a promised $5,000 tax refund, then funnels them through credential harvesting and a fraudulent cryptocurrency platform. The attackers collect extensive personally identifiable information, including addresses, employment details, government-issued IDs, bank account and routing numbers, and account credentials, enabling identity theft, account takeovers, social engineering, and potential direct financial fraud. The scam further attempts to extract Bitcoin payments through a fake investment scheme while maintaining victim trust with fabricated platform activity and live support interactions, making it a multi-stage operation designed to maximize both data theft and financial

June 3, 2026

Embedded Threats: How Attackers Weaponize Legitimate Emails

Threat actors are increasingly weaponizing legitimate business emails by embedding malicious links, phone scams, and spoofed branding into customizable text fields on trusted platforms like Zoom. This Cofense Intelligence report explains how these attacks bypass traditional email security controls such as DMARC, DKIM, and SPF, and highlights why contextual threat intelligence and user awareness training are critical to detecting these highly convincing phishing campaigns.

April 9, 2026

From Tax Refund to Total Compromise: IRS-Themed Phishing Email Drives Full-Stack Financial Fraud

This blog describes a phishing campaign that impersonates the IRS and Elon Musk to lure victims with a fake $5000 tax refund, ultimately redirecting them to credential harvesting websites. After submitting personal information, victims are funneled into a fraudulent cryptocurrency platform that requests additional sensitive data, including bank details and photo ID, under the guise of processing the refund.

March 11, 2026

Weaponizing Telegram Bots: How Threat Actors Exfiltrate Credentials

Telegram is a free, online instant messenger platform that is also commonly abused by threat actors for a wide range of malicious activities. One of Telegram’s notable features is its extensive collection of web APIs, one of which is used to interact with automated bot accounts.

February 25, 2026

Abusing Windows File Explorer and WebDAV for Malware Delivery

Cofense Intelligence has identified a growing tactic in which threat actors abuse Windows File Explorer and WebDAV to deliver malware outside of traditional browser-based downloads. By leveraging URL and LNK shortcut files along with Cloudflare Tunnel infrastructure, attackers are disguising remote file servers as seemingly local resources and delivering multi-stage campaigns that frequently end in RAT infections. This report breaks down how the technique works, why it is effective, and what organizations can do to detect and mitigate this evolving threat.

January 28, 2026

Trusted, Signed, Still Malicious. Exploiting Custom Email Text to Bypass Security Controls

Threat actors are abusing legitimate email services to embed phone scams into trusted, signed messages that bypass traditional email security controls. By redirecting these emails without altering the From address, attackers make malicious messages appear fully legitimate to both users and security tools. This campaign highlights a growing risk where trusted infrastructure is weaponized to deliver convincing email threats.