A new cyber‑espionage operation attributed to the North Korean threat group APT37 (ScarCruft) demonstrates how quickly social networks are becoming an initial access vector for state‑sponsored attacks. By building trust on Facebook and then moving conversations to encrypted messengers, the operators convince victims to install a “secure PDF viewer” that in reality delivers the long‑running RokRAT spyware.
Facebook social engineering as the first stage of compromise
According to research by Genians Security Center (GSC), APT37 operated at least two Facebook profiles listing locations in Pyongyang and Pyongsong to identify and approach targets. The accounts, using the names “richardmichael0828” and “johnsonsophia0414”, were created on 10 November 2025 and used to send friend requests to carefully selected individuals, likely in government, defense, or related sectors.
Once contact was established, the attackers shifted the conversation from public Facebook interactions to Facebook Messenger, and eventually to Telegram for file transfer. This mirrors a broader pattern: the 2023 Verizon Data Breach Investigations Report notes that the human element (including social engineering) is present in the majority of breaches, underscoring how often attackers rely on trust rather than exploits.
APT37’s pretext centered on access to “encrypted military documents.” Victims were told that these files required a dedicated PDF viewer to open, and were pressured to install a separate application shared via Telegram. This is a textbook pretexting scenario—creating a believable story to drive the victim toward a specific, malicious action.
Trojanized PDF viewer and embedded shellcode in a multi‑stage attack chain
The so‑called viewer was a modified version of the legitimate Wondershare PDFelement product. The ZIP archive delivered to victims contained a trojanized installer, four PDF documents, and a text file with step‑by‑step installation instructions to reinforce the illusion of legitimacy and reduce suspicion.
When executed, the altered installer launched encrypted shellcode—a small block of low‑level instructions embedded inside an otherwise normal process. Shellcode of this kind usually performs minimal, high‑value tasks: establishing a foothold in memory, contacting a command‑and‑control (C2) server, and pulling down the next stage payload without writing obvious artifacts to disk.
This design reflects a broader trend among advanced persistent threat (APT) groups: keeping initial implants lightweight, file‑minimal, and tightly integrated with legitimate software to evade endpoint detection and response (EDR) tools.
Abuse of legitimate infrastructure and JPG payload hiding
A distinguishing feature of this campaign is the extensive use of legitimate but compromised infrastructure for C2. GSC reports that the C2 server was hosted on the domain japanroom[.]com, associated with a Korean office of a Japanese property listing service. Leveraging a reputable domain complicates detection based on domain reputation or simple URL blocking.
The second‑stage payload was delivered as an apparently benign JPG image file named “1288247428101.jpg”. Hidden within this image was executable code that, when processed by the first‑stage component, unpacked and executed the final spyware. This approach combines techniques such as file extension spoofing and payload hiding in seemingly normal content, making static signature‑based detection far less effective.
By embedding code within an image and wrapping it inside a legitimate installer, APT37 significantly increases the effort required for defenders to distinguish between normal user activity and malicious behavior.
RokRAT spyware and Zoho WorkDrive‑based C2 channel
The final stage of the operation is RokRAT, a long‑standing espionage tool widely associated with APT37 in reporting from multiple threat‑intelligence vendors. While its core feature set has remained relatively stable over the years, it remains effective and dangerous.
RokRAT can capture screenshots, execute arbitrary commands via cmd.exe, harvest detailed system information, and conduct reconnaissance across the compromised environment. It also incorporates techniques to bypass or disable security solutions, including popular consumer and enterprise antivirus products such as 360 Total Security.
In this campaign, the operators use Zoho WorkDrive as a C2 transport channel for data exfiltration and command delivery. Similar abuse of cloud collaboration platforms was previously highlighted by Zscaler ThreatLabz in 2026 under the codename “Ruby Jumper.” Because Zoho and similar services are widely used in enterprises, malicious traffic can easily blend with normal business file‑sharing, complicating blocking without disrupting legitimate operations.
Notably, RokRAT’s core functionality changes little between operations. Instead, APT37 iterates on the delivery, execution, and evasion chain—combining social media pretexting, trojanized commercial software, image‑based payload hiding, and reputable cloud C2 to stay ahead of defensive controls.
Defending against APT37 and similar social‑media‑driven campaigns
This operation highlights how social engineering on Facebook and messaging apps can serve as an effective initial access vector for nation‑state actors targeting sensitive sectors. Mitigation requires a blend of policy, user awareness, and technical controls.
User awareness, policy, and application control
Organizations should enforce strict policies limiting the installation of software from unknown or unverified sources and implement application allow‑listing wherever feasible. Employees must be instructed never to install “viewers,” “codecs,” or “decryption tools” received via private messages, even when they appear to come from seemingly legitimate or familiar contacts.
Regular, scenario‑based social engineering training is essential. Exercises should explicitly address pretexting via social networks, cross‑platform conversation shifts (e.g., Facebook to Telegram), and requests to handle “classified” or “confidential” documents that require special tools.
Technical monitoring and cloud‑service governance
From an infrastructure perspective, modern EDR and XDR solutions should be deployed and tuned to detect abnormal process behaviors, such as installers spawning unexpected command shells, loading unusual DLLs, or initiating outbound connections to unfamiliar domains.
Security teams should also monitor usage of cloud storage and collaboration platforms—including Zoho WorkDrive—for atypical access patterns, unusual data volumes, or connections from endpoints that do not normally use these services. Network security controls and CASB (Cloud Access Security Broker) solutions can help baseline normal behavior and flag anomalies without blocking legitimate business use.
Finally, organizations should formalize policies for the use of social networks and messaging apps on corporate devices, coupled with continuous logging and network anomaly detection. As APT37’s activity shows, sophisticated adversaries are increasingly combining well‑known tools like RokRAT with ever more refined delivery and obfuscation tactics. Strengthening user awareness, tightening software installation controls, and closely monitoring cloud and network traffic significantly reduce the likelihood that such multi‑stage espionage campaigns will succeed.
