S2W profiles Scarcruft, also tracked as APT37, Red Eyes, Reaper, and Group123, as a North Korea-backed actor that has targeted defectors, NGOs, media, and government institutions since 2016. The excerpt focuses on the ROKRAT malware family, a RAT used across Windows, macOS, and Android that communicates through legitimate cloud services such as pCloud and Yandex using embedded OAuth tokens. After authentication, ROKRAT retrieves encrypted command codes from the cloud service, executes them, and uploads stolen device data back to the service. S2W groups the analyzed activity into DROKLINK and DROKDOC spear-phishing chains, mobile ROKRAT cases tied to KakaoTalk, Facebook, and Google Play distribution, and the CloudMensis macOS variant with exfiltration, screenshot, and command execution capability.