AhnLab's April 2025 APT trend report highlights two DPRK-relevant campaigns. Konni used spear phishing that impersonated the Korean National Police Agency and National Human Rights Commission, first encouraging replies and then delivering LNK and AutoIT-based malware to activists tied to North Korea human rights and inter-Korean NGOs. Lazarus also breached at least six South Korean organizations through Operation SyncHole, a watering-hole campaign exploiting South Korean software components including Innorix Agent and Cross EX. Reported Lazarus tooling includes ThreatNeedle, wAgent, Agamemnon downloader, SIGNBT, and COPPERHEDGE, with victims in software, IT, finance, semiconductor manufacturing, and telecommunications.