APT37 Weaponizes Facebook Friendships to Deploy RokRAT Trojan
APT37 Weaponizes Facebook Friendships to Deploy RokRAT Trojan
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
APT37 Weaponizes Facebook Friendships to Deploy RokRAT Trojan
North Korea’s ScarCruft abandons traditional phishing in favor of months-long social media grooming, delivering a backdoor hidden inside a trojanized PDF reader — a significant escalation in the group’s tradecraft.
Background: A Persistent and Adaptive Adversary
APT37, operating under North Korea’s Reconnaissance General Bureau (RGB), has been conducting cyber espionage operations since at least 2012. Its targets are consistently drawn from think tanks, academic institutions, military enterprises, and government agencies — primarily in South Korea and the United States — with a clear mandate to steal intelligence aligned with Pyongyang’s geopolitical interests.
The group’s signature weapon, RokRAT, is a cloud-hosted remote access trojan whose core capabilities have remained remarkably stable across years of operations. What has evolved, according to GSC analysis, is the delivery, execution, and evasion chain surrounding it — a pattern this latest campaign exemplifies in striking fashion.
Previous documented APT37 campaigns tracked by GSC include “Operation ToyBox Story” (May 2025), which used spear-phishing emails impersonating a South Korean national security think tank, and “Operation Artemis” (December 2025), which exploited HWP documents to achieve DLL sideloading. The Facebook-based campaign represents the group’s boldest pivot yet toward social media as an initial access vector.
The Attack: A Six-Stage Chain
GSC’s technical report reconstructs a meticulous, multi-stage intrusion designed to maximize trust before deploying any malware. Each stage is engineered to appear legitimate to the victim.
Operators created two Facebook accounts — richardmichael0828 and johnsonsophia0414 — both on November 10, 2025, with profile locations listing North Korean cities. The accounts proactively sent friend requests to carefully selected individuals in defense-related sectors and engaged in extended, low-pressure conversations to build credibility.
Once a baseline of trust was established on Facebook, operators moved the conversation to Facebook Messenger for more direct engagement, then shifted again to Telegram — framed as a need for a “more secure” communication channel. This migration reduces the risk of platform-level detection and account banning.
Using the pretext of sharing encrypted military weapons documents, the attacker convinced the target that a specialized PDF reader was required to open the files. A ZIP archive was then delivered containing: a trojanized Wondershare PDFelement installer (with embedded, encrypted shellcode), four legitimate-looking PDF documents as bait, and a text file with installation instructions.
When the victim runs the modified PDFelement installer, the embedded shellcode decrypts and executes in memory — completing a fully fileless first stage. The malware then beacons out to the attacker-controlled C2 server: japanroom[.]com, a compromised website associated with the Seoul branch of a Japanese real estate information service.
The C2 server delivers a file named 1288247428101.jpg — which, despite its image extension, is actually the second-stage executable payload. A second decryption pass using a 4-byte key reconstructs a PE image with removed MZ/PE signatures, which is then mapped and run entirely in memory.
The final payload — a RokRAT variant closely matching the December 2025 sample — is launched. It communicates exclusively via Zoho WorkDrive’s legitimate OAuth2 API with multiple hardcoded client IDs and refresh tokens, blending C2 traffic with normal SaaS activity. Capabilities include: screenshot capture, remote command execution via cmd.exe, host and process enumeration, public IP geolocation, and exfiltration of documents with extensions including DOC, XLS, PPT, PDF, HWP, TXT, M4A, and AMR.
This is assessed as a highly evasive strategy that combines legitimate software tampering, abuse of a legitimate website, and file extension masquerading.
— Genians Security Center (GSC), Technical Report, April 2026Evasion Techniques & Why This Campaign Is Unusual
The campaign stands out for layering multiple evasion strategies simultaneously. Rather than relying on any single technique, APT37 combined four distinct methods to frustrate detection at every stage of the kill chain.
Legitimate Software Tampering
Embedding shellcode inside a genuine, commercially available PDF application allows the initial installer to pass basic file reputation checks. Victims see the familiar Wondershare branding while the malicious payload executes silently in the background.
Compromised Legitimate Infrastructure for C2
By routing initial command-and-control through a real, previously legitimate business website (japanroom[.]com), outbound traffic to the C2 server avoids domain-reputation blacklists and doesn’t raise immediate red flags in network logs.
Cloud Service API Abuse for Persistent C2
RokRAT’s use of Zoho WorkDrive’s OAuth2 API is a continuation of APT37’s well-documented pattern of abusing legitimate cloud storage platforms — previously including Dropbox, pCloud, and Yandex Cloud. Because these are trusted enterprise SaaS providers, their traffic is rarely inspected or blocked by enterprise firewalls. GSC additionally noted that the same account IDs were registered across different cloud services on the same date, suggesting a systematically coordinated multi-cloud infrastructure.
File Extension Masquerading
Disguising a PE executable as a .jpg image file exploits security tools that rely on file extension rather than byte-level signature analysis to determine file type — a deceptively simple but effective technique.
Attribution note: GSC also identified the debugging string "JinHyok" during C2 communication — a clue consistent with North Korean-linked threat actors. Additionally, decoy documents used the North Korean typeface “Chollima,” further reinforcing attribution to APT37.
Indicators of Compromise (IoCs)
Defensive Recommendations
The campaign’s sophistication demands a multi-layered defensive posture. Traditional signature-based detection is unlikely to catch all stages of this attack. GSC and other security researchers recommend the following:
Social media policy and awareness training should be updated to include scenarios where multi-day or multi-week trust-building precedes a malicious file delivery. Employees in defense, government, and policy sectors are primary targets and should be briefed explicitly on this tactic.
Behavior-based endpoint detection (EDR) is essential. Because the execution chain is fully fileless after stage one — with no malicious file ever written to disk — static antivirus tools that inspect file signatures will not detect the in-memory payload. EDR solutions should be tuned to flag anomalous process injection, unexpected spawning of cmd.exe by installer processes, and network connections from PDF-related applications.
Network monitoring for cloud service anomalies is particularly important given RokRAT’s use of Zoho WorkDrive for C2. Security teams should not assume traffic to legitimate SaaS platforms is safe — inspect for unusual authentication patterns, excessive API calls from workstations, and connections to cloud storage APIs from unexpected processes.
File type validation beyond extension checking should be enforced at email gateways and web proxies. A file with a .jpg extension that contains a Windows PE header should be blocked and flagged.
This report is based on technical analysis published by Genians Security Center (GSC) on April 13, 2026, corroborated by coverage from The Hacker News, GBHackers, and CyberPress. Indicators of compromise are reproduced for defensive purposes. The C2 domain is defanged with bracket notation to prevent accidental navigation.
