AhnLab's March 2025 APT trend report states that North Korean APT groups were especially active during the month, using email, community-board postings, malicious documents, fake job interviews, and ClickFix-style techniques. The report describes Kimsuky using a malicious HWP document with an embedded OLE object in a notice recruiting participants for a unification-related education program. It also notes Konni activity involving LNK files and AsyncRAT against political organizations and institutions across Russia, East Asia, Europe, and the Middle East. Lazarus-related coverage includes exploitation of Korean IIS web servers as C2 infrastructure, malicious npm packages targeting developers, and fake job-interview operations against cryptocurrency-sector organizations.