AhnLab’s May 2025 South Korea APT trend data identifies spear phishing as the dominant observed intrusion vector, with lures tied to tax reporting, privacy compliance, virtual assets, foreign exchange, and administrative submissions. The excerpt describes LNK files that embed or retrieve CAB archives, extract decoy documents, and execute PowerShell, batch, VBS, and Python components. One chain creates obfuscated BAT content in the TEMP folder, downloads a CAB archive, unpacks legitimate pythonw.exe with a malicious obfuscated Python script under ProgramData, and registers persistence through Task Scheduler. Named lure files include Overseas Financial Account Report (Amendment).hwp.lnk, Token Payment History Confirmation.docx.lnk, fwBureaucrat_Claim_Guide.lnk, and Certificate of Business Registration of the Korean Federation for Unification.pdf.lnk. The provided excerpt does not name a DPRK actor, but it is relevant to Korea-focused APT tracking because it documents active phishing delivery patterns and lure themes in South Korea.