Logpresso compares two Korean-language document lure cases and separates them into APT37 and Konni activity based on file structure, execution flow, metadata, C2 behavior, and decryption keys. The APT37 case used a Hangul document titled around North Korean influence themes, abused an embedded OLE object, dropped batch and PowerShell components, decrypted shellcode in memory, and ultimately ran RokRAT against likely South Korean defense-sector personnel and North Korea researchers. RokRAT collected SMBIOS details, periodic desktop screenshots, and document or recording file information, then used cloud-service style C2 paths including Yandex with possible Dropbox and pCloud support. The Konni case used an LNK file disguised as a Hangul document about virtual-asset business inspection plans, launched PowerShell, VBScript, and batch files, established persistence, collected file listings and system information, and communicated with forum.flasholr-app.com using RC4-encrypted parameters.