AhnLab’s August 2025 domestic APT telemetry shows spearphishing remained the dominant intrusion method in South Korea, with LNK files making up the largest share of observed cases. The excerpt describes LNK payloads that extract embedded CAB archives and decoy documents, then run PowerShell, BAT, VBS, and other scripts for host information theft and additional malware download. Another observed LNK pattern delivered RAT malware through Dropbox API or Google Drive and created scripts and obfuscated payloads under locations such as %PUBLIC%. File lures included Korea-focused political, unification, defense, academic, and organizational themes, and the final RAT families named in the excerpt include XenoRAT and RoKRAT, which can support keylogging, screen capture, and attacker command execution.