This analysis examines Advanced Persistent Threat (APT) attacks in South Korea during May 2025. The majority of identified attacks utilized spear phishing as the primary infiltration method. Two main types of attacks were observed: Type A, which uses LNK files to execute malicious scripts and download additional malware, and Type B, which employs LNK files to download and execute obfuscated Python scripts. Both types use deception techniques, including decoy documents and task scheduler manipulation. The attacks targeted various sectors, using topics such as financial reporting, privacy protection, and business registration to lure victims. The report provides detailed information on file names, decoy documents, and indicators of compromise, including MD5 hashes, URLs, FQDNs, and IP addresses associated with the malicious activities. Author: AlienVault
Related Tags:
python scripts
decoy documents
T1059.006
LNK files
T1053.005
south korea
Obfuscation
T1547.001
T1059.001
Associated Indicators:
083BF200CBB89B1FD368FEF56ADD067F
069F1877BE4F0BF3D7E55E3793C8972F
015DB68852FEA91F92BAC7719450A0A2
016CB8B6A89CAC5088CFC30E11C169B4
213.145.86.223
103.149.98.239
103.149.98.230