February 2025 APT Group Trends (South Korea)
Overview
AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of the APT attacks in South Korea that were identified in February 2025, as well as the attack types.
Figure 1. Statistics of APT attacks in South Korea in February 2025
The APT attacks that have been confirmed to be distributed in South Korea have been classified by type of infiltration, with the majority being categorized as the spear phishing type. In February 2025, the distribution of LNK files using spear phishing had the highest percentage among the types of infiltration.
Trends of APT Attacks in Korea
The cases and features for each ATP attack type identified in February 2025 are as follows.
1) Spear Phishing
Spear Phishing is a type of phishing attack that targets specific individuals or groups. Unlike regular phishing attacks, threat actors perform reconnaissance on their targets before launching an attack. They use the information gathered to craft their phishing emails, making it more likely for the recipients to trust the emails. In some cases, threat actors also spoof their email addresses. Most spear phishing attacks involve malicious attachments or links in the emails, prompting users to download and execute them.
The following are the types of malware distributed using this technique.
1.1 Attacks Using LNK Files
Type A
This type involves creating a CAB file compressed with multiple malicious scripts to leak information and download additional malware. The distributed LNK file contains a malicious PowerShell command. This allows threat actors to extract the data of the CAB file and decoy document within the LNK file, creating it on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included inside are executed. The executed script files can perform malicious behaviors such as leaking user PC information and downloading additional files.
The confirmed file names are as follows.
|
File Name |
| #1. Notice on Submitting Clarification Material Related to Corporate Tax Return.hwp.lnk |
| T**to Co., Ltd._Request for Additional Information and Inquiries for Year-end Settlement 2024.xls.lnk |
| 1. Overseas Financial Account Report (Revised Report).hwp.lnk |
| 2024 Annual Settlement of Accounts Guide_*Kor.docx.lnk |
| Request for Cooperation on Special Report in 2025.docx.lnk |
| Virtual Asset Business Operator+Inspection Plan+Democratic Party of Korea+Presentation Material_fn2.hwp.lnk |
| Value-Added Tax Return Revision Guide (Value-Added Tax Office Processing Regulations).hwp.lnk |
| Error Notice Revision Request Submission Guide (National Tax Collection Act Enforcement Regulations).hwp.lnk |
Table 1. Confirmed file names
The following is the decoy file used to make it appear as if the user executed a legitimate file.
Figure 2. Confirmed decoy file
Type B
This type involves downloading a CAB file containing a malicious Python script. When the LNK file is executed, a obfuscated batch file (*.bat) is created and executed in the TEMP folder through PowerShell. The created BAT file accesses an external URL to download the CAB file, which is then decompressed in the ProgramData folder. The CAB file contains a legitimate pythonw.exe and a malicious Python script (*.config). The Python script is also obfuscated and registered in the task scheduler to be executed. Ultimately, an additional malicious file is downloaded and executed from the external URL, allowing various malicious behaviors to be performed.
The confirmed file names are as follows.
|
File Name |
| b***bio_Planning Team_Screen Design_User Screen_PC_Lee*.ver1.2_20250206.lnk |
| Attachment. Third Party Opinion (Request for Non-Disclosure).lnk |
| Ukraine NGO Group.lnk |
Table 2. Identified file names
