This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file as a decoy, while deploying the RokRAT backdoor malware capable of collecting user information and performing various malicious activities at the threat actor's command using cloud services like pCloud, Yandex, and DropBox. The report provides insights into the operation structure, malicious behaviors, and indicators of compromise associated with this campaign.