March 2025 APT Group Trends (South Korea)
Overview
AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of the APT attacks in South Korea that were identified in March 2025, as well as the attack types.
Figure 1. Statistics of APT attacks in South Korea in March 2025
The APT attacks that have been confirmed to be distributed in South Korea have been classified by type of infiltration, with the majority being categorized as the spear phishing type. In March 2025, the distribution of LNK files using spear phishing had the highest percentage among the types of infiltration.
Trends of APT Attacks in Korea
The cases and features for each ATP attack type identified in March 2025 are as follows.
1. Spear Phishing
Spear Phishing is a type of phishing attack that targets specific individuals or groups. Unlike regular phishing attacks, threat actors perform reconnaissance on their targets before launching an attack. They use the information gathered to craft their phishing emails, making it more likely for the recipients to trust the emails. In some cases, threat actors also spoof their email addresses. Most spear phishing attacks involve malicious attachments or links in the emails, prompting users to download and execute them.
The following are the types of malware distributed using this technique.
1.1. Attacks Using LNK Files
Type A
This type involves creating a CAB file compressed with multiple malicious scripts to leak information and download additional malware. The distributed LNK file contains a malicious PowerShell command. This allows threat actors to extract the data of the CAB file and decoy document within the LNK file, creating it on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included inside are executed. The executed script files can perform malicious behaviors such as leaking user PC information and downloading additional files.
The confirmed file names are as follows.
|
File Name |
| #1. ftrsm_total strategy.xlsx.lnk |
| 1. Reports on foreign financial accounts (amended).hwp.lnk |
| Submission guide for undeclared income explanation (value-added tax administration rules).hwp.lnk |
Table 1. Confirmed file names
Type B
This type involves downloading a CAB file containing a malicious Python script. When the LNK file is executed, a obfuscated batch file (*.bat) is created and executed in the TEMP folder through PowerShell. The created BAT file accesses an external URL to download the CAB file, which is then decompressed in the ProgramData folder. The CAB file contains a legitimate pythonw.exe and a malicious Python script (*.config). The Python script is also obfuscated and registered in the task scheduler to be executed. Ultimately, an additional malicious file is downloaded and executed from the external URL, allowing various malicious behaviors to be performed.
The confirmed file names are as follows.
|
File Name |
| Attachment.lnk |
| State of Emergency Martial Law National Investigation Final Report-1.lnk |
Table 2. Identified file names
The decoy file to make it look like the user has executed a normal file is as follows.
Figure 1. Confirmed decoy file
Figure 2. Confirmed decoy file
