AhnLab's November 2025 APT trend reporting describes continued evolution by suspected North Korea-backed actors, including Lazarus, Famous Chollima, Kimsuky, and a Konni-linked cluster associated with Kimsuky or TA-RedAnt. Lazarus activity is described using Comebacker variants and Dream Job-style spearphishing against defense, aerospace, government, and diplomatic targets to collect technical and personnel information. Famous Chollima's Contagious Interview activity targeted software, cryptocurrency, and Web3 developers through fake recruiter profiles, ClickFix-style lures, malicious GitLab demo projects, and JSON storage services delivering BeaverTail, InvisibleFerret, OtterCookie, and Tsunami components. Kimsuky activity used KimJongRAT variants, phishing, LNK, DOC, PowerShell, HTA, GitHub Releases, Google Drive, Korean URL shorteners, and proxy login pages to steal browser data, credentials, files, keylogs, clipboard data, messenger data, FTP credentials, and cryptocurrency wallet data from Korean users. The Konni-linked section describes spearphishing and account compromise against South Korean defectors and a counselor, combining KakaoTalk impersonation, Google Find Hub abuse for Android remote wipe, malicious ZIP/MSI/LNK delivery, AutoIt scripts, and RATs including RemcosRAT, LilithRAT, QuasarRAT, and RftRAT.