AhnLab observed July 2025 domestic APT activity in South Korea dominated by spear-phishing, with LNK-file delivery making up the largest share and watering-hole activity also noted. The LNK chains used embedded PowerShell to extract CAB files and decoy documents, then ran BAT, PowerShell, and VBS scripts for host information theft and additional payload downloads. A second LNK pattern delivered RAT malware through archive files and cloud services such as Dropbox API or Google Drive, creating scripts and obfuscated payloads under locations such as %PUBLIC%. The report names XenoRAT and RoKRAT among observed RAT families and shows lure themes tied to finance, blockchain/digital assets, security, military affairs, intelligence oversight, and North Korean defector settlement.