A Korean-language analysis attributes a malicious LNK lure to APT37/Reaper and identifies RokRAT delivery through a decoy about an academy for successful resettlement of North Korean defectors in South Korea. The shortcut searches for PowerShell, locates an oversized LNK of a specific size, extracts an embedded HWP decoy, encrypted executable data, a string file, and a batch script from fixed offsets, then executes the generated files from the temporary directory. The payload is described as XOR-encrypted with key 0x35 and loaded in memory through dynamically declared Windows APIs including GlobalAlloc, VirtualProtect, CreateThread, and WaitForSingleObject. The lure theme and decoy content suggest targeting of people connected to North Korea defector, unification, or security-policy communities.