The research traces how APT37-linked Android ROKRAT appears to have evolved into RambleOn, a more capable Android spyware family observed from 2019 through 2023. Early ROKRAT Android samples were described as backdoor or dropper tools, while RambleOn added spyware capabilities such as SMS theft, audio recording, multi-payload operation, and changed command-and-control mechanisms. The analysis cites code similarities between 2017 and 2018 ROKRAT samples and later RambleOn payloads, including cloud-service-based C2 handling and line-for-line code matches. Victim context included South Korean human rights activists and a journalist working on North Korea-related investigations who was asked over WeChat to install a supposed secure chat app.