Genians identified Operation ToyBox Story as a March 2025 APT37 spear-phishing campaign against activists and experts working on North Korea issues. The lures impersonated a North Korea-focused expert and a South Korean national security think tank event, directing recipients to Dropbox-hosted ZIP files containing malicious LNK shortcuts. When opened, the LNK files executed hidden PowerShell commands, staged BAT and DAT files under the temporary directory, transformed shellcode with XOR logic, and loaded RoKRAT in memory. The RoKRAT payload gathered system information, screenshots, process and removable-drive data, supported command execution and cleanup routines, and communicated through cloud-service C2 infrastructure, including Dropbox and API patterns for pCloud and Yandex. The report links the activity to APT37’s repeated use of cloud services, fileless techniques, and RoKRAT variants with limited code changes to reduce antivirus detection.