August 2025 Threat Trend Report on APT Attacks (South Korea)
Overview
AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in Korea. This report covers the categorization and statistics of APT attacks in South Korea during August 2025 as well as functions for each type.
Figure 1. August 2025 statistics on APT attacks in South Korea
Most APT attacks identified in South Korea were spread through spear phishing. In particular, in August 2025, attacks using LNK files within spear phishing campaigns accounted for the largest proportion.
Trends of APT Attacks in South Korea
The cases and functions for each APT attack type identified in August 2025 are as follows.
1) Spear Phishing
Spear phishing is a type of phishing attack against specific individuals or groups. Unlike ordinary phishing attacks, the threat actor conducts reconnaissance before launching the attacks to collect information on and learn about the attack targets. Because the threat actor crafts phishing emails using the collected information, the recipients of the emails are highly likely to believe that they are from a trusted source. There are also cases where the sender’s address is manipulated through email spoofing. Most spear phishing attacks include malicious attachments or links that are intended to lure the user to open them.
Types distributed using this technique are as follows.
1.1 Attacks Using LNK Files
Type A
This type involves creating a compressed CAB file containing multiple malicious scripts to exfiltrate information and download additional malware. The distributed LNK file contains a malicious PowerShell command, which is used to extract the data of the CAB file and decoy document inside the LNK file, creating them on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included inside are executed. The executed script files can perform malicious behaviors such as exfiltrating information from the user’s PC and downloading additional files.
The confirmed file names are as follows.
|
File Name |
|
#1. Shareholder Verification Document.docx.lnk |
|
Xangle_Token_Metrics_Lockup_Circulating_Supply.xlsx.lnk |
|
Notice on Submission of Explanation for Unreported Source of Funds.hwp.lnk |
Table 1. Confirmed file names
Below is a decoy file that was used to deceive the user into thinking they executed a legitimate file.
Figure 2. A confirmed decoy file
Type B
This type executes RAT malware. They are generally distributed as compressed files alongside legitimate files. The LNK files found in distribution contained malicious PowerShell commands. The malware either downloads using DropBox API or Google Drive, or creates additional script files and obfuscated RAT malware in system folders like “%PUBLIC%” on the user’s PC. The RAT malware executed in the end can perform various malicious behaviors, such as keylogging and taking screenshots, according to commands from the threat actor. XenoRAT and RoKRAT were some of the RAT types found in this case.
|
File Name |
|
**** Department of Internal Medicine_Han ******_20250825.lnk |
|
Recent North Korea’s Situation and Changes in the Unification Environment of the Korean Peninsula.lnk |
|
★Profile_Lee ********_Northeast Asia Community Culture Foundation (August 29th, 2024).lnk |
|
Kim Jong-un’s Trump Card, Ukraine-Russia War.lnk |
|
email_1755841203079.lnk |
|
Professor ****** from UC Berkeley, USA, lecture at Institute for Future Strategy Seoul National University (Aug 19).lnk |
|
Power of Attorney (including Choi *********’s ID).hwp.lnk |
|
***, negotiation studies. 2025. vol. 28-1.lnk |
|
Understanding Myself and My Family Through Family Dynamics.lnk |
|
2025-1 21st Century Institute Defense Policy Seminar (July 11th, 2025) – Sent.lnk |
|
(Monthly Kima) 4-1 Implications of Securing Tactical Drone Superiority in Future Warfare (Final).lnk |
|
Negligence of Duty Lesson 1.lnk |
|
Study on the Impact of Security Laws After Constitutional Amendments-Research Center.lnk |
|
Korean Association of Negotiation Studies Negotiation Research.lnk |
|
Seaside Friends Society Newsletter (July 2025 Issue).lnk |
|
National Intelligence Research Association Newsletter (Issue 52).lnk |
Table 2. Confirmed file names
