The sample is attributed in the excerpt to Reaper/APT37 and uses a Windows LNK file with a defector-themed lure connected to the Korea Institute of Maritime and Fisheries Technology. The LNK masquerades with a Microsoft Edge icon, extracts and opens an embedded PDF decoy, writes caption.dat and elephant.dat into the temporary directory, creates a batch file, and deletes the original shortcut to reduce visible traces. The execution chain starts hidden PowerShell, loads script content from elephant.dat, XOR-decrypts the payload in caption.dat with the key "d", allocates executable memory through kernel32 APIs, and runs the payload via CreateThread. The body provides hashes for the LNK and pCloud API URLs used for file access, making the sample useful for tracking APT37/RoKRAT-style shortcut-based delivery and in-memory execution tradecraft against South Korea-related targets.