Genians analyzes an APT37 RoKRAT campaign in Korea that used oversized LNK files, malicious HWP/OLE content, DLL side-loading, and JPEG steganography to load payloads. One infection chain hides a decoy HWP document, batch script, PowerShell command, and shellcode inside a shortcut, then uses staged XOR decoding to produce a 32-bit RoKRAT executable and inject it into mspaint.exe or notepad.exe. The final RoKRAT module collects host information, documents, and screenshots, then attempts exfiltration through legitimate cloud services including Yandex and Dropbox using cloud API requests and access tokens. The report also documents RoKRAT hidden inside JPEG resources and reinforces the need to monitor external cloud API traffic, script execution, and fileless loader behavior.