AhnLab’s September 2025 APT roundup highlights multiple North Korea-linked operations against South Korean defense, cryptocurrency, retail, and North Korea-focused research communities. Kimsuky used spear-phishing with MSC files disguised as Word documents, Google-hosted decoy content, scheduled-task persistence, AutoIt and batch scripts, process hollowing, and AI-generated deepfake military ID lures against defense-related organizations, researchers, activists, and journalists. The Lazarus section describes BeaverTail and InvisibleFerret variants delivered through ClickFix social engineering, fake job platforms, malicious repositories, compiled packages, and password-protected archives targeting Web3, trading, marketing, and retail personnel across Windows, macOS, and Linux. TA-RedAnt/APT37 activity used Rustonotto, Chinotto, and FadeStealer against South Korea-based people working on North Korea-related international relations, politics, academia, and research, combining LNK/CHM lures, PowerShell, Process Doppelgänging, persistence, keylogging, screenshots, audio capture, and USB/MTP collection. The report is useful because it shows DPRK-linked actors broadening lures and tooling while continuing to prioritize defense intelligence, cryptocurrency theft, and surveillance of North Korea-related communities.