AhnLab's September 2025 domestic APT monitoring found that spear phishing was the dominant intrusion method against South Korean targets, with LNK-based delivery accounting for the largest share of observed cases. One LNK cluster used embedded PowerShell to extract CAB and decoy document data, unpack scripts such as BAT, PS1, and VBS files, and support host information theft or additional malware downloads. Another cluster delivered RAT malware through archives containing legitimate-looking files, using Dropbox API or Google Drive and local paths such as %PUBLIC% to stage scripts and obfuscated payloads. The report identifies XenoRAT and RoKRAT among the final RAT payloads and lists lure filenames tied to finance, cryptocurrency receipts, personal information compliance, insurance, newsletters, and Korean geopolitical themes.