The North Korean threat actor known asScarCruftbegan experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoftbegan blocking macrosacross Office documents by default. “RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate