Talos identified a November 2017 ROKRAT variant delivered through a malicious HWP document themed around a South Korean North Korean human rights and reunification group. The document dropped a ROKRAT loader as HncModuleUpdate.exe, decoded an embedded payload, injected shellcode into cmd.exe, and ran a new in-memory ROKRAT payload. The variant reused reconnaissance logic, PDB naming patterns, screenshot filename patterns, and cloud C2 tradecraft from earlier ROKRAT and Evil New Years activity, while adding browser credential theft from Internet Explorer, Chrome, Firefox, and Microsoft Vault. Talos also found code overlap with Freenki from the FreeMilk campaign, supporting a link between the ROKRAT author and FreeMilk operators or collaborators.