The Friend Request from Pyongyang: How APT37 Hijacks Facebook to Deploy RokRAT
Ddos 
Overall Attack Flow | Image: Genians Security Center
A new investigation has revealed that the notorious state-sponsored threat group APT37 has significantly evolved its tactics, shifting its initial access vector to social media platforms like Facebook to target high-value victims. The campaign, analyzed in-depth by the Genians Security Center, demonstrates a blend of psychological manipulation and advanced technical evasion.
The attack begins not with a malicious link, but with a conversation. According to the report, the threat actor “conducted reconnaissance using two Facebook accounts claiming to be from Pyongyang and Pyongsong, North Korea”.
By adding targets as friends and moving conversations to Messenger, the actors spent time “building trust by exchanging greetings and introductions”. Once a rapport was established, the actors pivoted to a technical pretext: offering confidential military-related documents, but claiming they required a “dedicated viewer” to be opened due to encryption. To finalize the file delivery, the conversation was often moved to more “secure” platforms like Telegram.
The primary weapon in this campaign is a carefully tampered installer for the legitimate software Wondershare PDFelement. While it appeared to be a standard installation file named Wondershare_PDFelement_Installer(PDF_Security).exe, it was actually a host for malicious shellcode.
The report notes that the actor used a technique known as “PE patching” or “code cave injection” to insert 2 KB of shellcode into an unused code cave in the binary. To the end-user, the program seems to install normally; however, “in the background, however, a series of malicious actions has already been completed, including process injection into a legitimate process… and the establishment of a communication channel”.
The researchers found that follow-up commands were delivered through a payload disguised as a simple image file. Specifically, the malware requests a file named 1288247428101.jpg from a compromised legitimate website—in this case, the Seoul branch of a Japanese real estate information service.
This strategy “combines legitimate software tampering, abuse of a legitimate website, and file extension masquerading” to evade network monitoring and URL filtering. The received “image” is actually an encrypted second-stage payload that is decrypted and executed entirely in memory, ensuring that “the second-stage payload is never written to disk as a file”.
Linguistic analysis provided vital clues for attribution. The report highlights that the Telegram conversations included the term “콤퓨터,” a North Korean-style transliteration of “computer,” while instructions contained words like “프로그람(program)” and “화일(files)”.
Furthermore, the final payload—a variant of the RokRAT backdoor—was found to abuse legitimate cloud services like Zoho WorkDrive for command-and-control (C2). By using the OAuth2 API of a trusted service, the malware ensures its traffic is “difficult to distinguish from ordinary business traffic”.
Given the high level of sophistication, traditional antivirus software is often insufficient. The Genians report emphasizes that “behavior-based EDR is required to detect the identified indicators of compromise (IoCs) and respond to APT evasion techniques”.
To stay ahead of these threats, organizations are urged to move toward a response framework that can correlate related behaviors across the full attack chain—from initial social media contact to memory-only payload execution. As APT37 continues to refine its “Operation ToyBox Story” and “Operation Artemis” lineages, the focus must shift to “threat hunting and correlation-based analysis” to detect the shadows moving within legitimate processes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
