Reaper, also known as APT37, used newer delivery TTPs to deploy RokRAT against South Korea-focused targets. The campaign delivered ZIP archives containing oversized LNK files masquerading as PDF documents, alongside benign files, through energy-sector and politically themed phishing emails. Opening the LNK displayed a decoy document while PowerShell extracted and ran a BAT script, launched another PowerShell stage, downloaded a C2 payload, and reflectively injected shellcode that decoded and executed RokRAT. The excerpt notes RokRAT’s capabilities for credential theft, data exfiltration, screenshots, system discovery, command and shellcode execution, file management, and Reaper’s continued use of cloud storage services for C2.