AhnLab reported that RedEyes, also known as APT37 or ScarCruft, was distributing RokRAT through malicious LNK files after earlier CHM-themed activity against domestic financial-company security mail. The LNK files contained PowerShell commands that extracted and opened a decoy PDF while dropping and executing a BAT script from the user's temp directory. The final PowerShell stage downloaded encoded data from OneDrive share URLs, decoded it, and injected RokRAT into a PowerShell process. RokRAT collected user information and could download additional malware, then used cloud services such as pCloud and Yandex for exfiltration while disguising its User-Agent as Googlebot.