Since July 2022, the North Korean threat group ScarCruft (also known as APT37) has been observed distributing the RokRAT malware utilising large LNK files. RokRAT hasn’t changed much over time, but its deployment strategies have. LNK files, which start multi-stage infection chains, are now used in archives.
Checkpoint claims that the recent RokRAT infections were sparked by lures centred on internal and foreign policy issues in South Korea. Researchers, authors, and businesspeople who are thought to be giving North Korea financial support are among the people that ScarCruft is allegedly targeting.