DBAPPSecurity reported APT37 activity against South Korea’s foreign-affairs sector using an ISO image that contained two large padded LNK files. When opened, the LNKs dropped HWP decoys and BAT scripts, then PowerShell downloaded and decrypted the next stage from OneDrive before loading RokRAT. The RokRAT sample used legitimate cloud services, especially pCloud, for command retrieval and supported host reconnaissance, file and process listing, payload download and execution, Windows command execution, and cloud-token updates. The report links the second-stage PowerShell to earlier APT37 tradecraft and notes added encryption in the infection chain to hinder static detection.