AhnLab’s May 2025 APT trend roundup highlights North Korean activity against Ukrainian government agencies and broader attempts to infiltrate organizations by posing as workers in cybersecurity and other industries. The Konni section describes February 2025 phishing against Ukrainian government agencies using a Proton Mail account impersonating Microsoft security alerts, credential-harvesting links, HTML attachment malware delivery, and PowerShell-based C2 communication. The report frames that activity as strategic information gathering after North Korea’s troop deployment in support of Russia. A separate TA-RedAnt/APT37 case targeted South Korean national-security think tanks and North Korea-related activists with spear-phishing ZIP files containing Dropbox links and LNK shortcuts that deployed RokRAT, with CVE-2022-41128 listed in the table. The DPRK-relevant sections show North Korean-linked actors using tailored phishing, cloud services, LNK execution, and credential theft across both Ukraine-focused and South Korea-focused operations.