Check Point tracks APT37-linked ROKRAT activity shifting from older HWP exploits and Office macros toward ZIP or ISO archives containing oversized LNK files that launch multi-stage infection chains. The lures focus heavily on South Korean domestic and foreign affairs, with examples tied to National Assembly committee lists, North Korea diplomacy, and Korean-speaking targets, while one English-language case used Libyan oil and gas project documents involving a South Korean consultant. Several chains were observed leading to ROKRAT, and related tooling or overlapping chains included GOLDBACKDOOR and the commodity Amadey RAT. The report emphasizes that ROKRAT remains actively developed across Windows, macOS, and Android variants and that its cloud-service-based command-and-control and macro-blocking-era LNK delivery tradecraft remain important for tracking APT37 operations.