ROKRAT was delivered through spear-phishing emails carrying malicious HWP documents themed around Korean reunification and North Korea, including one sent through a compromised Yonsei University mail server. The documents embedded EPS objects exploiting CVE-2013-0808 to download disguised .jpg payloads that decoded and executed the RAT. ROKRAT used legitimate services including Twitter, Yandex, and Mediafire for C2, command retrieval, file transfer, and document exfiltration, making network blocking and detection harder in organizations that allow those platforms. The malware supported command execution, file movement and deletion, process killing, download-and-execute behavior, screenshots, and keylogging, while using sandbox and analyst checks to divert execution into fake Amazon and Hulu traffic. The campaign’s Korean-language lures, HWP targeting, and North Korea-related themes show a focused operation against South Korean or Korea-focused victims.