AhnLab observed April 2026 APT activity against South Korean targets, with most infections beginning through spear-phishing emails that used spoofed senders, malicious attachments, and malicious links. The activity relied heavily on LNK files, PowerShell, curl.exe, AutoIt, HTA, VBS, BAT, Python, GitHub, Google Drive, and scheduled tasks to retrieve payloads, maintain persistence, and execute attacker commands. Several chains delivered decoy documents while collecting host information, listing files, uploading and downloading data, receiving commands through PubNub channels, or loading infostealers, keyloggers, backdoors, and XenoRAT-type malware. AhnLab provides MD5 hashes and malicious URLs tied to the observed campaigns, making the report useful for tracking South Korea-focused phishing tradecraft and payload delivery patterns.