ASEC observed RokRAT being distributed through malicious Hangul HWP documents instead of the LNK-based delivery more commonly associated with this malware. One lure used North Korea grain distribution content and embedded ShellRunas.exe and credui.dll as OLE objects that the Hangul process automatically created in the %TEMP% directory. When a user clicked the document hyperlink and allowed execution, the Microsoft-signed ShellRunas.exe loaded the malicious credui.dll through DLL side-loading. The DLL downloaded a Dropbox-hosted Father.jpg file that appeared to be a portrait image but contained shellcode used to load RokRAT in memory. The final RokRAT payload can collect user information and perform attacker-directed actions, making the HWP-to-OLE-to-sideloading chain important for detection.