Group123, also tracked as ScarCruft/APT-Q-3 and linked by the source to North Korea, has recently increased attacks against South Korean targets using oversized LNK files disguised as legitimate documents. The campaign uses spear-phishing-style archives containing decoy PDF/HWP content about Korean defense, diplomacy, North Korea policy, or audio lures; double-clicking the LNK runs PowerShell, drops a date-named BAT file in %temp%, and retrieves follow-on payloads from OneDrive. The payload chain XOR-decrypts and reflectively injects RokRAT, a long-running Group123 remote-access trojan that can capture screenshots, log keystrokes, perform anti-VM checks, and use cloud services such as OneDrive, Box, Dropbox, and Yandex for C2. The report also notes large junk-filled LNK files and custom use of an EmbedExeLnk-style builder as evasion and delivery mechanisms.