AhnLab observed July 2025 APT activity in South Korea dominated by spear-phishing, with LNK-based delivery making up the largest share of identified cases. The LNK files executed malicious PowerShell commands, unpacked CAB archives, ran scripts such as BAT, PS1 and VBS files, and could leak host information or download additional payloads. A second LNK cluster used Dropbox API or Google Drive to retrieve scripts and obfuscated RAT malware, including XenoRAT and RoKRAT, enabling keylogging, screenshots and other operator-directed actions. The lures included finance, blockchain and digital asset themes, military and security topics, and a North Korean defector settlement academy file, making the activity relevant to monitoring Korean-language APT tradecraft and social-engineering patterns.