Sangfor attributes a university-focused campaign to ScarCruft/APT37 after observing the group’s familiar oversized LNK delivery, cloud-storage staging, and RokRAT payload. The lure was a ZIP file posing as Korea National Intelligence Society conference material; its PDF-looking LNK extracted a decoy PDF and batch script, pulled an encrypted payload from OneDrive, and decrypted shellcode that launched RokRAT. The malware used pCloud, Yandex, and Dropbox for command and control, matching ScarCruft’s pattern of blending malicious traffic into legitimate cloud services. Account artifacts tied the activity to Korean-language phishing emails sent to a North Korea research email address, including seminar and private-video lures.