AhnLab’s August 2025 APT trend report highlights North Korea-linked campaigns against South Korean policy, media, finance, technology, and diplomatic targets. One Kimsuky case used a journalist impersonation lure against a policy institute, delivering an encrypted ZIP with a disguised LNK that ran PowerShell, created persistence, and downloaded follow-on scripts from C2. A separate DPRK-linked embassy campaign targeted European diplomatic missions and foreign ministry personnel in Seoul from March to July 2025, using password-protected ZIPs, double-extension LNK files, in-memory PowerShell loading, and a XenoRAT variant. The campaigns abused legitimate services including GitHub, Dropbox, Daum large-file links, and other cloud platforms for staging or C2, reinforcing the operational challenge of detecting espionage activity hidden behind trusted infrastructure.