{"id":575,"date":"2026-04-13T11:12:01","date_gmt":"2026-04-13T11:12:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=575"},"modified":"2026-04-13T11:12:01","modified_gmt":"2026-04-13T11:12:01","slug":"north-koreas-apt37-uses-facebook-social-engineering-to-deliver-rokrat-malware","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=575","title":{"rendered":"North Korea&#8217;s APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 13, 2026<\/span><\/span><span class=\"p-tags\">Social Engineering \/ Threat Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhm-HTAVB66ntSv8R4Bgh9szlrPPh6ah0eJGTDheDntj2w9bW9XzWcgs2CAGsN_C8DS7T4M7V8q18_DtgMZu3mJONEewq_oWlpefdtwp6BgudRjw2Z68jXoP8tHCdxSyvZ-xvVuPlh-xpxEeIRHk1v2mq5KqZxS1z316ncG5j2Q9HQe_bJhIJE4XWONvyYL\/s1700-e365\/telegram.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>The North Korean hacking group tracked\u00a0as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage, social engineering campaign in which threat actors approached targets on Facebook and added them as friends on the social media platform, turning the trust-building exercise into a delivery channel for a remote access trojan\u00a0called RokRAT.<\/p>\n<p>\u00abThe threat actor used two Facebook accounts with their location set to Pyongyang\u00a0and Pyongsong, North Korea, to identify and screen targets,\u00bb the Genians Security Center\u00a0(GSC) <a href=\"https:\/\/www.genians.co.kr\/en\/blog\/threat_intelligence\/pretexting\">said<\/a> in a technical breakdown of the campaign. \u00abAfter building trust through friend requests, the actor moved the conversation to Messenger and used specific topics to lure targets as part of the initial social engineering stage of the\u00a0attack.\u00bb<\/p>\n<p>Central to the attack is the use of what the GSC describes as pretexting, a tactic where the threat actors aim to trick unsuspecting users into installing a dedicated PDF viewer, claiming the software was necessary to open encrypted military documents. The\u00a0PDF viewer used in the infection chain is a tampered version of Wondershare PDFelement, which, when launched, triggers the execution of embedded shellcode that allows the attackers to obtain an initial\u00a0foothold.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Another significant aspect of the campaign is that it utilizes legitimate but compromised infrastructure for command-and-control (C2), weaponizing the website associated with the Seoul arm of a Japanese real estate information service to issue malicious commands and payloads. What&#8217;s more, the payload takes the form of a seemingly harmless JPG image to deliver\u00a0RokRAT.<\/p>\n<p>\u00abThis is assessed as a highly evasive strategy that combines legitimate software tampering, abuse of a legitimate website, and file extension masquerading,\u00bb the GSC\u00a0said.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWchkR_RFkav7q3PRymFcRSWXefFD7VRfgnbSRTRBmpbOYUYiA50lgNTF9rAQhyphenhyphenci5OSDVxuNaiSvogjOFFRIsaOxL76SlCVNV6XmWmsoAs-4Evdzh_kZb8FKWpEvzBj91gHIQwRhhpHjuJELUd7jB7SXlmqNi7X33_GgMK6pJ9oskE2GwPJCKfRM2eX6V\/s1700-e365\/flow.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWchkR_RFkav7q3PRymFcRSWXefFD7VRfgnbSRTRBmpbOYUYiA50lgNTF9rAQhyphenhyphenci5OSDVxuNaiSvogjOFFRIsaOxL76SlCVNV6XmWmsoAs-4Evdzh_kZb8FKWpEvzBj91gHIQwRhhpHjuJELUd7jB7SXlmqNi7X33_GgMK6pJ9oskE2GwPJCKfRM2eX6V\/s1700-e365\/flow.png\" alt=\"\" border=\"0\" data-original-height=\"1625\" data-original-width=\"2600\"\/><\/a><\/div>\n<p>In the attack sequence detailed by the South Korean cybersecurity company, the threat actors have been found to create two Facebook accounts &#8212; \u00abrichardmichael0828\u00bb and \u00abjohnsonsophia0414,\u00bb both of which were created on November 10, 2025 &#8212; and deliver a ZIP file after moving the conversation to Telegram, with the archive containing the trojanized version of Wondershare PDFelement along with four PDF documents and a text file containing instructions to install the program to view the\u00a0PDFs.<\/p>\n<p>The encrypted shellcode executed after the launch of the tampered installer allows it to establish communication with the C2 server (\u00abjapanroom[.]com\u00bb) and download a second-stage payload, a JPG image (\u00ab1288247428101.jpg\u00bb) that&#8217;s then used to final RokRAT\u00a0payload.<\/p>\n<p>The malware, for its part, abuses Zoho WorkDrive as C2 \u2013 a tactic\u00a0also detailed by Zscaler ThreatLabz in February 2026 as part of a campaign codenamed Ruby Jumper \u2013 enabling it to capture screenshots, enable remote command execution via \u00abcmd.exe,\u00bb collect host information, perform system reconnaissance, and evade detection by security programs like Qihoo&#8217;s 360 Total Security, while disguising malicious\u00a0traffic.<\/p>\n<p>\u00abIts core functionality has remained relatively stable and has been reused repeatedly across multiple operations over time,\u00bb the GSC said. \u00abThis shows that RokRAT has focused less on changing its core functionality and more on evolving its delivery, execution, and evasion\u00a0chain.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 13, 2026Social Engineering \/ Threat Intelligence The North Korean hacking group tracked\u00a0as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage, social engineering campaign in which threat&hellip;<\/p>\n","protected":false},"author":1,"featured_media":576,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1187,529,1058,1188,1186,42,247,1189,1057],"class_list":["post-575","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-apt37","tag-deliver","tag-engineering","tag-facebook","tag-koreas","tag-malware","tag-north","tag-rokrat","tag-social"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=575"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/575\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/576"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}