AhnLab's May 2025 domestic APT trend data shows spear phishing as the dominant intrusion route against South Korean targets, with LNK-based delivery taking the largest share. The observed lures used tax, privacy, virtual-asset, business-document, and unification-related filenames to make malicious LNK files appear like normal HWP, DOCX, or PDF documents. One chain embedded PowerShell in the LNK, extracted CAB and decoy document data, and ran BAT, PS1, VBS, and related scripts capable of host information theft and additional payload download. Another chain used an obfuscated BAT file to download a CAB containing legitimate pythonw.exe and malicious Python scripts, unpacked them under ProgramData, and registered scheduled-task execution for follow-on activity. The excerpt provides TTPs and lure themes for domestic APT monitoring but does not attribute the activity to a specific actor.