A 2022 APT37 sample linked by the author to ROKRAT operations used a malicious Hangul Word Processor document with an embedded OLE object to target a human rights NGO. The lure impersonated South Korea’s Central Election Commission and referenced recruitment for vote-counting observers in the 20th presidential election. When the victim clicked the embedded object, a BAT script launched PowerShell-based reflective DLL injection and loaded a payload in memory from a defanged work3.b4a.app URL, reducing disk artifacts. The excerpt lists the analyzed SHA-256 sample, sender address, an Amazon-hosted stager IP, and a generic Amazon JARM value, while cautioning that the sample is archival rather than evidence of a recent campaign.