NSHC's January 2025 threat actor report identifies four SectorA clusters, the report's North Korea-aligned grouping, active across Brazil, the United States, Russia, Poland, the Netherlands, France, South Korea, the United Kingdom, and Japan. SectorA01 used fake recruiter personas on LinkedIn, Telegram, and Discord to push targets into copying and executing commands that installed backdoor malware. SectorA04 targeted asset management and DLP solutions in Brazil and South Korea to obtain control-server permissions and deploy backdoor and keylogging malware. SectorA05 used defense-themed HWP spear-phishing with OLE objects and scheduled-task payload delivery in South Korea, while SectorA07 used LNK malware disguised as tax collection documents to run VBS and batch scripts for host profiling and additional malware download.