Secui STIC reports an APT37-style LNK campaign that used a North Korea-themed contribution article lure to deliver RokRAT. The ZIP archive contained normal PDF decoys and a malicious LNK file; when opened, the shortcut launched hidden PowerShell, extracted embedded files into the temp directory, and ran a batch file and script chain. The script loaded shellcode from Public.dat, decoded data with XOR key 0x29, and executed RokRAT, a known malware family that uses cloud services such as Dropbox, pCloud, and Yandex for C2. STIC notes that this LNK and PowerShell technique has been used by APT37 against Korean organizations for years and lists hashes for the ZIP, LNK, and RokRAT payload.