DBAPPSecurity’s Lieying Lab analyzed an APT37, also known as Group123/RedEyes/ScarCruft, espionage campaign using RokRAT against South Korean foreign-affairs targets. The source says the attackers delivered an ISO containing two heavily padded LNK files that dropped HWP decoys and BAT files into the temp directory, then used PowerShell to download and decrypt the next-stage payload in memory. The final payload is RokRAT, which communicates with legitimate cloud services including pCloud, Dropbox, and Yandex to receive commands, upload selected files, execute Windows commands, and update cloud-service tokens. The report notes the 2023 infection chain added encrypted malicious commands ahead of earlier execution stages to hinder static detection.