ASEC identified RokRAT distribution through malicious Hangul Word Processor documents rather than the malware's more typical LNK-based delivery chain. A North Korea grain-store-themed lure embedded ShellRunas.exe and credui.dll as OLE objects, which the Hangul process automatically created under %TEMP%. User execution of the hyperlink-launched, Microsoft-signed ShellRunas.exe caused the malicious credui.dll in the same directory to be loaded through DLL side-loading. The DLL retrieved a Dropbox-hosted Father.jpg file that visually looked like an image but contained shellcode for loading RokRAT into memory. The resulting payload can collect user information and carry out actor-directed malicious behavior.