Rewterz describes active APT37, ScarCruft, or RedEyes indicators tied to North Korean espionage activity, with recent reporting that the group expanded from CHM malware disguised as a Korean financial-company security email to RokRAT delivery through LNK files. The LNK files run PowerShell commands that create and execute scripts from a temporary folder, leading to RokRAT activity focused on additional payload execution and data exfiltration. RokRAT collects machine information before its main RAT loop and uses cloud services such as Dropbox, pCloud, Yandex Cloud, and OneDrive for command and control, making traffic harder to distinguish from legitimate cloud use. The advisory lists active IOCs, including uploader77j.disk.yandex.net and multiple hashes, for blocking and environment hunting.