April 2025 Threat Trend Report on APT Attacks (South Korea)
Overview
AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and functions of APT attacks detected in South Korea over the course of one month in April 2025.
Figure 1. Statistics of APT attacks in South Korea in April 2025
The APT attacks that have been confirmed to have been distributed in Korea have been classified by infiltration type, and most of them were found to be spear phishing. In April 2025, the distribution method using spear phishing was the most prevalent.
Trends of APT Attacks in South Korea
The following are the cases and functions for each APT attack infiltration type in April 2025.
1) Spear Phishing
Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.
The following are the types of malware distributed using this technique.
1.1 Attacks Using LNK
Type A
This type involves creating a CAB file that compresses multiple malicious scripts to leak information and download additional malware. The distributed file, a LNK file, contains a malicious PowerShell command. This allows the data of the CAB file and decoy document inside the LNK file to be extracted and created on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included inside are executed. The executed script files can perform malicious behaviors such as leaking user PC information and downloading additional files.
The confirmed file names are as follows.
|
File Name |
| NTS_eTaxInvoice.html.lnk |
| NTS_eTaxInvoice_250498347984769820712935.html.lnk |
| Direction for Prevention of Money Laundering for Virtual Asset Service Providers.hwp.lnk |
| Guide on Submitting Materials to Identify Undeclared Sources of Funds (Value-Added Tax Act Enforcement Decree).hwp.lnk |
| Proposal.pdf.lnk |
| Comprehensive Income Tax Return and Payment Notice (Income Tax Act Enforcement Decree).hwp.lnk |
| Company’s Virtual Asset Holdings Status-2025.04.29.eml.lnk |
Table 1. Confirmed file names
The decoy files used to make it appear as if the user opened a legitimate file are as follows.
Figure 2. Identified decoy file
Figure 3. Identified decoy file
Type B
This type executes RAT malware. It is mainly distributed in a compressed file format along with a legitimate file. The distributed LNK file contains a malicious PowerShell command. The threat actor uses the Dropbox API or Google Drive to download the malware or create additional script files and obfuscated RAT malware in the user’s PC (e.g. %PUBLIC%). The executed RAT malware performs various malicious behaviors according to the threat actor’s commands, such as keylogging and capturing screenshots. The identified RAT types include XenoRAT and RoKRAT.
The confirmed file names are as follows.
|
File Name |
| 2025 Seoul City Application Form Application for the Social Integration and Awareness Improvement Project for North Korean Defectors(21st Century Security Strategy Research Institute).lnk |
| Paper (20250418).lnk |
| Dr. Yeom** (Revised).lnk |
| Discussions with President Trump on Information Policy.lnk |
Table 2. Identified file names
