AhnLab’s June 2025 APT trend roundup highlights several North Korea-linked operations, including GitHub PAT abuse against private repositories and remote IT worker schemes using forged credentials, RMM tools, VPNs, and accomplices. The excerpt describes Kimsuky conducting a three-stage spear-phishing operation against South Korea’s defense and military sector through Facebook, email, and Telegram, delivering AppleSeed via EGG-compressed malicious files and using WSH, regsvr32, encryption, and C2 for persistence and exfiltration. It also details a Kimsuky campaign impersonating a Korean law firm to target people facing financial, legal, and cryptocurrency issues, using LNK and PowerShell downloaders, Dropbox delivery, private GitHub repositories, hardcoded PATs, and XenoRAT for keylogging and data theft. The report matters because it shows DPRK-linked actors combining social engineering, legitimate developer/cloud platforms, remote-access tooling, and tailored lures to support both espionage and financially motivated activity.