🎯 How the Attack Works
According to security researchers, attackers create fake Facebook profiles with locations set to North Korea, then:
- Send friend requests to targeted individuals
- Build trust through casual conversations
- Move communication to Messenger or Telegram
- Deliver a malicious ZIP file containing infected software
This method turns social media into a direct malware delivery channel.
📄 Fake PDF Viewer as Infection Vector
The core of the attack relies on pretexting, where victims are tricked into installing a fake PDF viewer to open “encrypted military documents.”
The attackers use a modified version of Wondershare PDFelement, which:
- Executes hidden shellcode upon launch
- Establishes connection with a command-and-control (C2) server
- Downloads additional malicious payloads
🖼️ Malware Hidden Inside JPG Files
In a highly evasive technique, the second-stage payload is disguised as a harmless JPG image file, which ultimately delivers the RokRAT malware.
The campaign also abuses legitimate infrastructure, including compromised websites and cloud services like Zoho WorkDrive, to avoid detection.
⚠️ What RokRAT Can Do
Once installed, RokRAT enables attackers to:
- Capture screenshots
- Execute remote commands via cmd.exe
- Collect system and user data
- Perform surveillance and reconnaissance
- Evade antivirus detection
This makes it a powerful tool for cyber espionage and data theft.
🚨 Why This Attack Is Dangerous
This campaign stands out because it combines:
- Social media trust exploitation
- Legitimate software tampering
- File disguise techniques (JPG malware)
- Use of trusted cloud infrastructure
Experts warn that APT37 continues to evolve its delivery and evasion methods, making detection increasingly difficult.
🛡️ How to Stay Safe
To protect yourself:
- Be cautious of unknown friend requests on Facebook
- Avoid downloading files from untrusted sources
- Never install software sent via chat apps
- Use updated security software
- Verify file authenticity before opening