March 2025 APT Group Trends (South Korea)

April 10, 2025, 8:13 p.m.

Description

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CAB file with malicious scripts, and Type B, which downloads a CAB file containing a malicious Python script. Both types employ obfuscation techniques and execute multiple stages to perform various malicious activities, including information leakage and additional malware downloads. The attacks often use decoy files to appear legitimate and target specific individuals or groups with carefully crafted emails.

External References

https://asec.ahnlab.com/en/87400
https://otx.alienvault.com/pulse/67f812fb59069dbbe15c9c77
Tags
obfuscation
apt
python
powershell
south korea
pebbledash
lnk files
spear phishing
2025-04-10
nukesped
task scheduler
cab files

Date

  • Created: April 10, 2025, 6:50 p.m.
  • Published: April 10, 2025, 6:50 p.m.
  • Modified: April 10, 2025, 8:13 p.m.

Attack Patterns

  • PebbleDash
  • NukeSped