A North Korean hacker group tracked as APT37 (also known as ScarCruft) is believed to be involved in a new multi-stage social engineering campaign. In this campaign, threat actors approached targets on Facebook and added them as friends on the social media platform, turning the trust-building exercise into a delivery channel for a remote access Trojan known as RokRAT.
“The attackers used two Facebook accounts with locations in Pyongyang and Pyongseong, North Korea, to identify and screen targets,” the Genians Security Center (GSC) said in a technical breakdown of the campaign. “After building trust through friend requests, the attackers moved the conversation to Messenger and used specific topics to lure their targets as part of the initial social engineering stage of the attack.”
At the heart of the attack is the use of what GSC calls pretexting. This is a tactic used by threat actors to trick unsuspecting users into installing a specialized PDF viewer by claiming that the software is needed to open encrypted military documents. The PDF viewer used in the infection chain is a modified version of Wondershare PDFelement that, when launched, triggers the execution of embedded shellcode, allowing attackers to gain an initial foothold.
Another key aspect of this campaign is the use of legitimate but compromised command and control (C2) infrastructure and weaponizing websites associated with the Seoul division of Japanese real estate information services to issue malicious commands and payloads. Additionally, the payload takes the form of a seemingly innocuous JPG image to deliver RokRAT.
“This is assessed to be a sophisticated evasion strategy that combines legitimate software modification, exploitation of legitimate websites, and file extension masquerading,” GSC said.
In a series of attacks detailed by the South Korean cybersecurity firm, the attackers created two Facebook accounts, “richardmichael0828” and “johnsonsophia0414,” both of which were found to have been created on November 10, 2025, and distributed a ZIP file after moving the conversation to Telegram. The archive contains a trojanized version of Wondershare PDFelement, four PDF documents, and a text file containing instructions to install the program for viewing. PDF.
An encrypted shellcode executed after launching the modified installer allows communication with the C2 server (‘japanroom’) to be established.[.]com”) and download the second stage payload, a JPG image (“1288247428101.jpg”), which is used for the final RokRAT payload.
This malware exploits Zoho WorkDrive as a C2. This is a tactic also detailed by Zscaler ThreatLabz in February 2026 as part of a campaign codenamed Ruby Jumper. This allows you to capture screenshots, enable remote command execution with “cmd.exe”, gather host information, perform system reconnaissance, and disguise malicious traffic while evading detection by security programs such as Qihoo’s 360 Total Security.
“Its core functionality is relatively stable and has been repeatedly reused in multiple operations over an extended period of time,” GSC said. “This indicates that RokRAT is more focused on evolving the delivery, execution, and evasion chain than changing core functionality.”
Source link
