APT37 Exploits Facebook Friendships to Deploy RokRAT

North Korea's APT37 is running a social engineering campaign that starts with a Facebook friend request and ends with military officials infected with surveillance malware. The threat actors maintain fake profiles claiming to be located in Pyongyang, engage targets in extended conversations to build trust, then deliver the RokRAT backdoor through trojanized software.

Security researchers documented the multi-stage campaign this month, noting that APT37 invested weeks in cultivating relationships before attempting malware delivery—a patience-intensive approach that bypasses traditional phishing defenses.

TL;DR

• What happened: APT37 operators befriend targets on Facebook, then deliver RokRAT via trojanized Wondershare PDFelement
• Who's affected: South Korean military and government officials primarily
• Severity: High - Full surveillance capabilities once infected
• Action required: Verify software sources; be suspicious of unsolicited social media contacts

How Does the Attack Work?

The campaign begins with friend requests from accounts displaying North Korean locations (Pyongyang, Pyongsong). Once accepted, operators engage in extended conversations—sometimes lasting weeks—to establish rapport and gather intelligence about the target's work environment and security practices.

After building trust, attackers transition the conversation to more secure channels, eventually delivering a ZIP file containing:

• A trojanized copy of Wondershare PDFelement (legitimate PDF editing software)
• Four PDF documents serving as lures
• Installation instructions designed to guide the target through infection

When the victim runs the compromised installer, embedded shellcode executes and contacts a command-and-control server hosted on japanroom[.]com—a legitimate Japanese real estate service website whose Seoul branch infrastructure was compromised.

A second-stage payload disguised as a JPG image (1288247428101.jpg) delivers the final RokRAT implant.

RokRAT Capabilities

Once installed, RokRAT provides comprehensive surveillance capabilities:

• Screenshot capture at regular intervals
• Remote command execution via cmd.exe
• System reconnaissance including installed security products
• Credential harvesting from browsers and applications
• File exfiltration through encrypted channels

RokRAT specifically checks for and evades Qihoo's 360 Total Security, suggesting targets may be using Chinese security software. The malware abuses Zoho WorkDrive for command issuance, making C2 traffic difficult to distinguish from legitimate cloud service usage.

Social Engineering at Scale

What makes this campaign notable isn't the malware—RokRAT has been in APT37's arsenal for years. It's the investment in social engineering infrastructure.

The attackers created Facebook accounts (richardmichael0828 and johnsonsophia0414) in November 2025, giving them months to build activity patterns that appear organic. They set locations to North Korean cities openly—a detail that might seem counterintuitive but actually serves as a filter to identify targets who won't immediately block a foreign contact.

This mirrors techniques we've seen in previous social engineering campaigns, where patience and psychological manipulation prove more effective than technical exploits.

Attribution and Context

APT37 (also tracked as ScarCruft, Ricochet Chollima, Ruby Sleet, and InkySquid) has operated since at least 2012, primarily targeting South Korean entities. The group is assessed to operate in support of North Korean intelligence collection objectives.

This campaign's focus on military and government officials aligns with APT37's historical pattern of targeting information related to South Korean defense capabilities and diplomatic initiatives involving North Korea.

The group recently deployed air-gapped network intrusion tools in a separate campaign, demonstrating continued capability development.

Indicators of Compromise

Type	Value
C2 Domain	japanroom[.]com
Payload	1288247428101.jpg
Facebook Account	richardmichael0828
Facebook Account	johnsonsophia0414
Cloud Abuse	Zoho WorkDrive

Recommended Mitigations

1. Scrutinize unsolicited contacts — Especially those claiming foreign locations or unusual backgrounds
2. Verify software sources — Only download applications from official vendor websites
3. Block known IOCs — Add japanroom[.]com to network blocklists
4. Monitor cloud services — Watch for unusual Zoho WorkDrive activity
5. Security awareness training — Educate staff about social media-based social engineering

Frequently Asked Questions

Why would targets accept friend requests from accounts in North Korea?

Researchers, journalists, and officials working on Korean peninsula issues may have legitimate reasons to connect with contacts claiming North Korean locations. APT37 exploits this professional curiosity.

Can I detect RokRAT with antivirus?

Most endpoint security products detect known RokRAT variants. However, the trojanized installer may evade initial detection since it packages legitimate software alongside malicious code.

For organizations in sectors APT37 has historically targeted, this campaign underscores why phishing awareness training must extend beyond email to encompass social media platforms.