Genians identifies a new RoKRAT variant used by APT37 and delivered in South Korea through a compressed archive containing an unusually large malicious LNK file. The shortcut masquerades as a national intelligence and counterintelligence manuscript and embeds a decoy HWP document, shellcode, PowerShell commands, and a batch script. The execution flow runs batch and PowerShell stages that decode shellcode with XOR operations, produce a 32-bit executable, and inject payloads into hardcoded Windows processes such as mspaint.exe, with a later variant switching to notepad.exe. The embedded PDB path containing InjectShellcode, and later a Weapon directory, gives defenders useful variant-tracking evidence while showing continued fileless and shortcut-based tradecraft tied to APT37.