AhnLab observed May 2026 domestic APT activity in South Korea dominated by spear-phishing delivery, especially malicious LNK files and some CHM-based attacks. The infection chains used PowerShell, curl, HTA, VBS, BAT, XML, JS, AutoIt, Python, DLL side-loading, regsvr32, certutil, GitHub, and Google Drive to stage decoys, loaders, infostealers, keyloggers, XenoRAT-like malware, and backdoors. Several variants created scheduled tasks for persistence and supported command execution, directory listing, file upload/download, system information theft, and additional script execution from external C2 infrastructure. AhnLab published hashes, URLs, and domains tied to the observed activity and listed product detections for related backdoor, downloader, infostealer, LNK, JSE, VBS, Python, and XML-task components.