S2W reports that ScarCruft is using a newer HWP OLE-based delivery chain to distribute ROKRAT, moving beyond earlier LNK, BAT, and shellcode-heavy infection paths. The observed cases use malicious DLLs such as mpr.dll, credui.dll, and version.dll, likely executed through DLL sideloading with legitimate programs after being embedded in Hangul document OLE objects. Shared technical features include ROR13-based API resolving, XOR-based payload recovery, in-memory ROKRAT execution, Dropbox-hosted steganographic shellcode in one case, and abuse of cloud services including pCloud and Yandex for command and control. The repeated API hashing, 0x29 XOR key usage, and cloud-token patterns link the activity to known ScarCruft tradecraft and show continued evolution in document-based delivery for a DPRK-linked information-stealing malware family.