Intezer linked Final1stspy activity to APT37/Group123 by analyzing code reuse across NOKKI, KONNI, KimJongRAT, DOGCALL/ROKRAT, and FreeMilk-related samples. The reported NOKKI-associated malicious document used VBScript to download Final1stspy, whose `LoadDll` executable loaded a `hadowexecute` DLL before ultimately delivering DOGCALL/ROKRAT. Intezer found an earlier Final1stspy DLL through YARA hunting and identified a unique OS-information-gathering function shared with Group123's ROKRAT code. The report published SHA-256 indicators for Final1stspy DLL/EXE samples and related FreeMilk/ROKRAT samples.