Genians identifies Operation Artemis as an APT37 campaign that used spear-phishing and malicious HWP/HWPX documents against South Korean targets interested in North Korea, human rights, abduction issues, broadcast interviews, seminars, and policy events. The infection chain begins when embedded HWP OLE objects disguised as hyperlinks create a malicious version.dll in the temporary directory and launch renamed Sysinternals VolumeId utilities such as Volumeid1.exe, vhelp.exe, or mhelp.exe for DLL side-loading. The side-loaded DLL hides payloads behind layered XOR decryption, activates x64 shellcode, and ultimately delivers RoKRAT, while the campaign also reuses APT37 tradecraft involving steganographic image payloads. Document metadata and repeated PDB paths, including Artemis-related fields and HwpOLE build paths, connect multiple samples into a consistent campaign observed from August through November. RoKRAT analysis identified Yandex Cloud tokens and account reuse tied to earlier APT37 cloud-service abuse, showing continued reliance on legitimate cloud platforms for C2 and payload operations.