360’s threat research team reported APT-C-28/ScarCruft activity using an energy-sector lure about the Sharara-to-Mellitah oil pipeline to deliver the RokRAT backdoor. The attack used a large padded LNK file containing a decoy PDF and malicious BAT logic, then PowerShell pulled an encrypted RokRAT payload from OneDrive, decrypted it, and ran it in memory. The RokRAT sample collected host and user details, supported file transfer, command execution, screenshots, and keylogging, and used cloud storage APIs including pCloud, Yandex, and Dropbox for command and file exchange. The report notes continuity with earlier RokRAT behavior, including familiar file naming, code structure, and HTTP content-type patterns.