The analysis examines a newer RokRAT sample attributed to APT37, also known as Group123, Venus 121, or Reaper, and describes updates to its execution flow. A large LNK lure drops a decoy HWP document plus public.dat, temp.dat, and working.bat, then uses hidden PowerShell to execute shellcode and load an in-memory PE payload. The payload collects system details such as host, user, process path, operating system, BIOS, privilege, and VMware-related information before communicating with api.pcloud.com. The report notes RokRAT's use of public cloud storage services such as pCloud, Dropbox, Yandex, and Box for C2 through embedded tokens and file download, upload, and deletion operations.