APT-C-28 (ScarCruft), also known as APT37, Reaper, and Group123, targeted South Korean government and enterprise personnel with phishing archives containing malicious LNK files. The LNK files used PowerShell to extract decoy documents, malicious BAT and PowerShell scripts, and encrypted RokRat Shellcode, which was decrypted with XOR and executed in memory. The decrypted payload produced a RokRat PE compiled in October 2024, with core capabilities consistent with earlier RokRat versions but changes in delivery path and operational strategy. The campaign embedded the encrypted payload directly in the LNK instead of retrieving it from cloud services, likely reflecting adaptation after malicious cloud links were rapidly disabled. RokRat artifacts included a Googlebot-like User-Agent and the string "--wwjaughalvncjwiajs--", with commands for screenshots, process collection, file enumeration, payload retrieval, execution, and cleanup.