May 2025 APT Group Trends (South Korea)
Overview
AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of APT attacks in Korea that were identified over the course of a month in May 2025.
Figure 1. Statistics of APT attacks in South Korea in May 2025
The APT attacks that have been confirmed to have been distributed in Korea have been classified by infiltration type, and most of them were found to be spear phishing. In May 2025, the distribution method using spear phishing was the most prevalent.
Trends of APT Attacks in South Korea
The following are the cases and functions for each APT attack infiltration type in May 2025.
1) Spear Phishing
Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.
The following are the types of malware strains distributed using this technique.
1.1 Attacks Using LNK
Type A
This type involves creating a CAB file that compresses multiple malicious scripts to leak information and download additional malware. The distributed file, a LNK file, contains a malicious PowerShell command. This allows the data of the CAB file and decoy document inside the LNK file to be extracted and created on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included inside are executed. The executed script files can perform malicious behaviors such as leaking user PC information and downloading additional files.
The confirmed file names are as follows.
|
File Name |
| 1. Overseas Financial Account Report (Amendment).hwp.lnk |
| Checklist of Compliance Status of Personal Information Protection Obligations.hwp.lnk |
| Announcement on Appointment of External Evaluator for Virtual Asset-related Matters.hwp.lnk |
| Guide on Submitting Materials for Clarifying the Source of Funds Not Reported (Enforcement Decree of the Value-Added Tax Act).hwp.lnk |
| Guide to Submitting Exculpatory Evidence.hwp.lnk |
| Comprehensive Income Tax Return and Payment Statement (Income Tax Act Enforcement Decree).hwp.lnk |
| Token Payment History Confirmation.docx.lnk |
Table 1. Identified file names
The following are the decoy files used to make it appear as if the user executed a legitimate file.
Figure 2. Identified decoy file
(The figure shows the cover page of Privacy Protection Compliance Report)
Figure 3. Identified decoy file
(The figure shows the ㅎuide to submitting documents related to foreign exchange transactions)
Figure 4. Identified decoy file
(The figure shows the content of Token Transfer Confirmation Statement)
Type B
This type involves downloading a CAB file that contains a malicious Python script. When the LNK file is executed, a obfuscated batch file (*.bat) is created and executed in the TEMP folder through PowerShell. The generated BAT file accesses an external URL to download the CAB file, which is then decompressed in the ProgramData folder. The CAB file contains a legitimate pythonw.exe and a malicious Python script. The Python script is also obfuscated and registered in the task scheduler to be executed. Ultimately, an additional malicious file is downloaded and executed from the external URL, allowing various malicious behaviors to be performed.
The confirmed file names are as follows.
|
File Name |
| fwBureaucrat_Claim_Guide.lnk |
| Certificate of Business Registration of the Korean Federation for Unification.pdf.lnk |
Table 2. Detected file names
※ For more information, please refer to the attachment.
