North Korea-linked APT37, also known as ScarCruft, used Facebook and Telegram to target victims in a multi-stage social engineering campaign that delivered the RokRAT remote access trojan, according to a technical analysis by Genians Security Center.
KEY FACTS
- Initial contact Two Facebook accounts, with locations set to Pyongyang and Pyongsong, were used to screen targets.
- Lure Victims were steered to Messenger and then Telegram before receiving a ZIP archive.
- Payload The archive contained a trojanized Wondershare PDFelement installer, four PDF files, and instructions to open the documents.
- Delivery method The final malware was hidden inside a JPG image and used compromised infrastructure for command and control.
The report said the fake social media personas, named richardmichael0828 and johnsonsophia0414, were created on Nov. 10, 2025. After trust was built through friend requests, the conversation moved to messaging apps and the targets were urged to install a dedicated PDF viewer to open what were described as encrypted military documents.
The tampered installer was a modified version of Wondershare PDFelement. When launched, it executed embedded shellcode that connected to a command-and-control site at japanroom[.]com, downloaded a second-stage JPG file, and then loaded RokRAT.
RokRAT used Zoho WorkDrive for command and control, a technique previously noted in other campaigns. The malware could capture screenshots, run commands through cmd.exe, collect host details, perform reconnaissance, and try to evade detection by security software, including Qihoo’s 360 Total Security.
The disclosure said the group relied less on changing RokRAT’s core functions than on altering how it was delivered, executed, and hidden. That approach can make malicious traffic and files look legitimate, which may complicate detection for users and security teams.
WHY IT MATTERS
The campaign shows how social media trust, tampered software and legitimate online services can be combined in a single intrusion chain. It also highlights how attackers can reuse the same malware while changing delivery methods to stay ahead of defenses.