ESTsecurity warns that RokRAT malware is being distributed through a malicious LNK file disguised as an academic paper under submission in the defense field. When executed, the shortcut runs embedded PowerShell code, drops a decoy PDF alongside toy01.dat, toy02.dat, and toy03.bat in the user temporary directory, opens the decoy, launches the batch chain, and deletes the original LNK. The report identifies toy01.dat as the encoded RokRAT payload and describes a staged execution flow designed to distract the victim while malware components are unpacked. Defenders should hunt for academic-paper themed LNK lures, PowerShell spawned from shortcuts, toy*.dat or toy*.bat artifacts, and RokRAT-related network or host indicators.