December 2025 APT Attack Trend Report (South Korea)

AhnLab monitored multiple APT campaigns targeting South Korea in December 2025, reporting spear-phishing with malicious LNK attachments as the dominant vector. The report identifies two LNK-based types: one delivering RATs (confirmed XenoRAT and RoKRAT) via PowerShell and cloud downloads, and another dropping AutoIt-based payloads by copying curl.exe, registering Task Scheduler jobs for persistence; sample filenames, MD5 hashes and malicious URLs are provided as IOCs.