ScarCruft is reported shifting recent ROKRAT delivery from its earlier LNK-based chain to Hangul HWP documents carrying OLE-embedded droppers, loaders, or downloaders. The cases described use DLL side-loading, hardcoded payload retrieval, steganographic shellcode delivery, environment and infection checks, and in-memory execution of ROKRAT. Shared technical traits include ROR13-based API resolving, XOR-based payload decryption, and ROKRAT abuse of legitimate cloud services such as pCloud and Yandex for command-and-control. The overlap with earlier ScarCruft campaigns suggests an evolution of established TTPs and makes malicious HWP OLE objects a key detection and user-awareness focus.