Seqrite links Operation HanKook Phantom to APT37, a North Korean state-backed espionage actor also known as InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, and Ricochet Chollima. The campaign used a National Intelligence Research Society newsletter decoy and a disguised Windows LNK file to target South Korean national-security, academic, policy, labor, and energy-related circles. Executing the LNK launched embedded PowerShell that extracted a decoy PDF and multiple payloads, ran a batch script, decoded an XOR-encrypted payload, and executed it in memory through Windows API calls. The final ROKRAT payload fingerprinted victim systems, checked for virtualized or restricted environments, captured screenshots, enumerated files, ran commands, downloaded additional payloads, and exfiltrated data. Its command-and-control design used cloud services including pCloud, Yandex, and Dropbox, making the operation relevant for defenders monitoring spear-phishing, fileless PowerShell execution, and cloud-based C2 abuse.