It starts like any ordinary day on social media — a new friend request, maybe from someone with mutual interests or a professional-looking profile. You accept without much thought. A conversation begins, trust builds. And before you know it, you've unknowingly stepped into a carefully crafted cyberattack.
This is the strategy behind a recent campaign linked to the North Korean hacking group APT37, also known as ScarCruft. What makes it worth examining isn't just the technical sophistication , it's how deliberately human the attack is. Group IB's analysis of ScarCruft describes a threat actor that has consistently prioritised social deception over brute force exploitation, and this campaign is a near perfect expression of that philosophy.
The human side of hacking
Unlike traditional intrusions that exploit software vulnerabilities, this campaign is built on psychology. Attackers approached targets through Facebook using profiles that appeared credible some even listed locations like Pyongyang and Pyongsong, lending an odd air of transparency to the deception. Once a connection was established, conversations moved to Messenger, then to Telegram. Each platform shift made the interaction feel progressively more personal, more trusted, more real.
This technique is called pretexting constructing a believable narrative to manipulate someone into taking a specific action. Here, the pretext was simple: you need a special PDF viewer to open secure military documents. The software provided looked legitimate. It was a modified version of Wondershare PDFelement. It was not what it seemed.
What actually happened after installation
Once installed, the trojanised viewer silently executed hidden code and established a connection to an attacker controlled server. A second stage payload was then retrieved disguised as an ordinary JPG image file and the final malware was deployed: RokRAT.
Hiding payloads inside image files is a technique known as steganography. By embedding malicious code within what appears to be a benign JPG, the delivery slips past perimeter defences that inspect file types rather than file contents. It's a low noise approach that suits APT37's broader philosophy of patience over spectacle.
A closer look at RokRAT
RokRAT is a Remote Access Trojan that APT37 has used in targeted espionage campaigns for several years. It isn't designed for mass infection , it's built for persistence and invisibility.
• C2 infrastructure: Cloud-based via Zoho WorkDrive — malicious traffic blends with legitimate SaaS activity
• Architecture: Modular design allows attackers to extend functionality without redeployment
• Collection: Steals files, captures screenshots, and harvests system information
• Evasion: Encrypted payloads, obfuscation, and abuse of trusted services to bypass detection
The use of Zoho WorkDrive as command and control infrastructure is particularly telling. By routing communications through a legitimate cloud platform, RokRAT's traffic is functionally indistinguishable from normal business activity. Blocking it would mean blocking a service that thousands of organisations use every day. This is a deliberate design choice and it reflects a broader trend of attackers using trusted infrastructure to live off the land rather than standing up dedicated C2 servers that can be easily identified and taken down.
Mapping the attack: MITRE ATT&CK
Viewed through the MITRE ATT&CK framework, this campaign maps cleanly across multiple tactics. What's notable isn't that APT37 invented new techniques ,it's how precisely they combined existing ones to minimise detection at every stage.
• Phishing — T1566 (Initial Access): Social engineering via Facebook and Messenger to establish initial contact and trust
• User Execution — T1204 (Execution): Victim installs the trojanised PDF viewer, believing it to be a legitimate tool
• Masquerading — T1036 (Defence Evasion): Malware disguised as Wondershare PDFelement; payload hidden inside a JPG file
• Web Services — T1102 (C2): Zoho WorkDrive and compromised websites used to blend C2 traffic with legitimate activity
• Obfuscation — T1027 (Defence Evasion): Encrypted payload delivery at multiple stages to avoid signature-based detection
• Screen Capture — T1113 (Collection): Screenshots and system data harvested during the persistence phase
Where defences fell short: a NIST lens
The NIST Cybersecurity Framework offers a useful way to understand not just what happened, but where organisational controls failed and where they could be strengthened.
• Identify: Targets lacked awareness of social engineering as an entry vector. A Facebook profile from an unfamiliar contact in Pyongyang warrants scrutiny but most users aren't trained to apply that scrutiny to casual social interactions.
• Protect: Software installation controls were absent or insufficiently enforced. A policy of installing applications only from official, verified sources would have broken the infection chain at its most critical point.
• Detect: Signature-based tools struggle when malicious traffic travels through Zoho WorkDrive. Behavioural detection monitoring for unusual outbound connections to cloud storage from endpoints that don't normally use those services is far more likely to surface this.
• Respond: RokRAT's low noise means incident response is typically delayed. By the time an infection is confirmed, weeks of data exfiltration may have already occurred. Faster anomaly detection pipelines compress this window.
• Recover: Persistent, modular malware complicates recovery. Even after removal, the modular architecture means additional implants may have been staged. Full forensic investigation is required before any system can be considered clean.
This campaign is a reminder that the most dangerous intrusions rarely announce themselves. There was no zero-day. No brute-forced credential. Just a friend request, a believable conversation, and a PDF viewer that did rather more than display documents. The line between social interaction and cyber threat continues to blur and the attackers are counting on us not to notice.