September 2025 APT Attack Trends Report (South Korea)
Overview
Ahnlabs is monitoring APT (Advanced Persistent Threat) attacks in South Korea by utilizing their own infrastructure. This report covers the classification, statistics, and features of APT attacks in South Korea that were identified in September 2025.
Figure 1. Statistics of APT attacks in September 2025
In Korea, most of the confirmed APT attacks were distributed through the spear phishing method. In September 2025, the attacks using LNK files accounted for the largest portion of the spear phishing attacks.
Trends of APT Attacks in South Korea
The following are the cases and functions of the APT Korea attacks identified in September 2025, by type of breach.
1) Spear Phishing
Spear Phishing is a type of phishing attack that targets specific individuals or groups. Unlike regular phishing attacks, threat actors go through a reconnaissance phase before launching their attacks to collect information on their targets. Threat actors then use this information to craft phishing emails, making it more likely for users to perceive the emails as trustworthy. In some cases, threat actors also use email spoofing to forge the sender’s address. The majority of spear phishing attacks include malicious attachments or links in their emails, prompting users to open them.
The following are the types of malware distributed using this technique.
1.1. Attacks Using LNK
Type A
This type involves creating a compressed CAB file containing multiple malicious scripts, which are then used to leak information and download additional malware. The distributed LNK file contains a malicious PowerShell command. This command extracts the data of the CAB file and decoy document contained within the LNK file and creates them on the user’s PC. The CAB file is then decompressed, and multiple script files (bat, ps1, vbs, etc.) included within it are executed. The executed script files can perform malicious behaviors such as leaking user PC information and downloading additional files.
The confirmed file name is as follows.
|
File Name |
| 1. Overseas Financial Account Report (Amendment).hwp.lnk |
| 2025_blockchain_solution companies_template.docx.lnk |
| Cryptocurrency_Receipt_Confirmation.docx.lnk |
| Compliance Check of Personal Information Protection Obligations.hwp.lnk |
| Guidelines for Submitting Materials to Clarify Unreported Source of Funds.hwp.lnk |
| Cryptocurrency_Deposit Confirmation Report.hwp.lnk |
Table 1. Confirmed file names
The following are decoy files that make it appear as if the user has opened a legitimate file.
Figure 2. Identified decoy file
Type B
This type executes RAT malware. It is mainly distributed in a compressed file along with a normal file, and the distributed LNK file contains a malicious PowerShell command. The malware utilizes the Dropbox API or Google Drive to download the malware, or it creates additional script files and obfuscated RAT malware in the user’s PC (%PUBLIC%). The executed RAT malware performs various malicious behaviors according to the threat actor’s commands, such as keylogging and taking screenshots. The identified RAT types are XenoRAT and RoKRAT.
The confirmed file name is as follows.
|
File Name |
| pust Introduction Material_2025 ver.lnk |
| Kim Jong-un Trying to Reconfigure the Order in Northeast Asia (Song**).lnk |
| Kim Jong-un Trying to Reconfigure the Order of Northeast Asia.lnk |
| Announcement on the Implementation of Special Naturalization for Compatriots.lnk |
| Automatic Payment Guide (Insurance)-Security.lnk |
| Attachment (Security).html.lnk |
| News of Haeuhoe (August 2025).lnk |
Table 2. Names of the identified files
※ Please refer to the attachment for more details.
