The June 2025 APT group trend report highlights several DPRK-linked operations, including North Korean remote IT worker infiltration and Kimsuky spear-phishing activity against South Korean targets. In the remote IT worker cases, Jasper Sleet and other North Korean actors used forged resumes and identities, AI-generated or altered documents, fake portfolios, VPNs, VPS and proxy infrastructure, KVM devices, and RMM tools such as TinyPilot, RustDesk, TeamViewer, AnyViewer, and AnyDesk to obtain employment access, money, and sensitive data. One Kimsuky case targeted South Korean defense and North Korea-related activists through Facebook, email, and Telegram, delivering EGG archives with JSE content, loading DLLs through regsvr32, using encryption to hide collected data, and maintaining C2 communications through AppleSeed. Another Kimsuky case abused hard-coded GitHub personal access tokens and private repositories as attack infrastructure, used Dropbox to distribute payloads, maintained persistence through scheduled tasks, and deployed XenoRAT for system control, keylogging, clipboard capture, and information theft.