APT37 Uses Facebook Social Engineering to Spread RokRAT, New Insights Revealed

How It Works

APT37, also known as ScarCruft, has launched a targeted intrusion campaign that effectively utilizes social media platforms and encrypted messaging apps to compromise victims. The campaign begins with the creation of two Facebook accounts, 'richardmichael0828' and 'johnsonsophia0414', both registered on November 10, 2025, with locations set to Pyongyang and Pyongsong, North Korea. After sending friend requests to carefully selected targets, the attackers build trust through one-on-one conversations on Messenger, often discussing military weapons technology to establish a believable context.

Once genuine interest is established, the conversation shifts to Telegram, where the malicious content is delivered. The attackers employ a social engineering method known as pretexting, tricking victims into believing they need a special viewer to open encrypted military documents. This viewer is a tampered version of Wondershare PDFelement, disguised as a legitimate software installer.

Technical Details

The malicious installer is packaged within an encrypted ZIP archive named 'm.zip', alongside decoy military-themed PDFs and a fake user guide. Notably, the tampered installer lacks a valid digital signature, indicating it has been modified. The legitimate installer is named 'Wondershare_PDFelement_Installer.exe', while the malicious version is labeled 'Wondershare_PDFelement_Installer(PDF_Security).exe', designed to appear as a security-enhanced release.

Upon execution, the installer appears to run normally, but in the background, embedded shellcode is triggered, establishing a connection to the attacker's infrastructure. This connection routes commands through a compromised website associated with a Japanese real estate company, blending malicious activity with normal network traffic. The malware retrieves a second-stage payload disguised as a JPG image from the domain 'japanroom[.]com'.

Signs of Infection

Victims may not notice any immediate signs of infection, as the attack is designed to be stealthy. However, once compromised, the malware can exfiltrate sensitive data, including screenshots, documents in various formats, and audio recordings, to Zoho WorkDrive through hardcoded OAuth2 tokens, making the outbound traffic appear as ordinary cloud activity.

Defensive Measures

Organizations, especially those working with defense or government materials, should take proactive measures to mitigate risks. Key recommendations include:

• Verifying digital signatures on all software installers before running them.
• Avoiding installations from messaging platforms without confirming the official source.
• Deploying endpoint detection solutions that flag abnormal child processes spawned by installers.
• Monitoring for unexpected outbound connections to cloud services like Zoho WorkDrive.
• Conducting regular security awareness training focused on social engineering attacks originating from social networks rather than email.

The sophistication of this campaign highlights the evolving tactics of APT37, which continues to refine its methods for delivering RokRAT while maintaining a focus on evasion and stealth.