North Korean cyber actors, identified as APT37 or ScarCruft, are behind a new social engineering initiative using Facebook to deliver the RokRAT malware. This campaign involves creating trust with targeted individuals on the platform, turning these connections into avenues for malware distribution.
Social Engineering Tactics on Facebook
The attackers utilized Facebook profiles with locations set to Pyongyang and Pyongsong in North Korea to find potential victims. After initiating contact through friend requests, they transitioned conversations to Facebook Messenger, exploiting specific topics to enhance the credibility of their approach.
A central element of the strategy is pretexting, where the attackers deceived users into installing a compromised PDF viewer under the guise of accessing encrypted military documents. This viewer, a modified version of Wondershare PDFelement, executed concealed shellcode to establish an initial infection point.
Technical Breakdown and Evasion Strategies
The campaign cleverly employed legitimate but compromised online infrastructure for command-and-control operations. The attackers repurposed a website associated with a Japanese real estate service in Seoul to issue commands and dispatch payloads. The malware itself was disguised as an innocuous JPG image to evade detection.
Genians Security Center (GSC) highlighted this method as a sophisticated blend of software tampering, legitimate site misuse, and file extension deception, which collectively enhances the campaign’s evasive capabilities.
Execution and Payload Delivery
Details from the South Korean cybersecurity firm reveal the attackers created two Facebook accounts in November 2025. They eventually moved communications to Telegram, distributing a ZIP file containing the trojanized PDF software, multiple PDF files, and installation instructions.
The compromised installer executed encrypted shellcode, facilitating communication with a command server located at “japanroom[.]com.” This interaction enabled the download of a second-stage payload disguised as a JPG image, which ultimately delivered the RokRAT malware.
Malware Capabilities and Implications
RokRAT leverages Zoho WorkDrive as part of its command-and-control strategy, as previously noted in a campaign by Zscaler ThreatLabz. The malware is capable of capturing screenshots, executing commands, gathering host information, conducting reconnaissance, and bypassing security defenses like Qihoo’s 360 Total Security.
Despite its stable core functionality, RokRAT’s delivery and evasion methods continue to evolve, underscoring the persistent threat posed by North Korean cyber operations.
