Plainbit analyzes a North Korea-linked RokRAT infection chain delivered in a ZIP archive containing a same-named LNK file disguised as an HWP document. The shortcut runs cmd.exe and PowerShell, hides the command window with user32.dll calls, splits embedded LNK data into a decoy HWP plus public.dat, temp.dat, and working.bat, and deletes the original shortcut. working.bat executes temp.dat as a PowerShell ScriptBlock, which allocates RWX memory with kernel32 APIs, writes public.dat shellcode into memory, and starts a thread to run it. The source provides the extracted command structure and file layout defenders can use to hunt for this LNK-to-PowerShell RokRAT staging pattern.