April 2025 Threat Trend Report on APT Attacks (South Korea)

May 21, 2025, 8:24 p.m.

Description

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage and additional malware downloads, and Type B, which executes RAT malware like XenoRAT and RoKRAT using Dropbox API or Google Drive. The attacks often employ decoy documents and target specific individuals or groups with crafted emails. Various file names were used to disguise the malicious content, often mimicking official documents or applications. The report highlights the sophisticated nature of these APT attacks and their potential impact on South Korean targets.

External References

https://asec.ahnlab.com/en/87945
https://otx.alienvault.com/pulse/6824e785db6222a60c61b23f
Tags
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api

Date

  • Created: May 14, 2025, 6:57 p.m.
  • Published: May 14, 2025, 6:57 p.m.
  • Modified: May 21, 2025, 8:24 p.m.

Indicators

  • 103.149.98.247
  • aomeioras2.r-e.kr
  • aomeio.r-e.kr
Download all indicators here!

Attack Patterns

  • XenoRAT
  • ROKRAT - S0240