AhnLab observed June 2025 APT activity in South Korea dominated by spear phishing, with LNK-based attacks the largest share and HWP-based attacks increasing from the previous month. The LNK cases embedded malicious PowerShell in shortcut files, unpacked CAB content, executed BAT/PowerShell/VBS scripts, showed decoy documents, and collected host information or downloaded additional files. A second LNK pattern delivered RAT payloads through Dropbox API or Google Drive, including XenoRAT and RoKRAT, enabling keylogging, screenshots, and operator-directed activity. The lures referenced cryptocurrency transactions, virtual asset exchange accounts, bank transfers, tax-related funds, resumes, and investigation themes, showing tailored targeting of South Korean users.