Introduction
In the international cybersecurity landscape, the most sophisticated threats do not always come in the form of viruses or brute technical attacks. Often, the entry point is much simpler: an apparently innocent conversation on social media. This is what emerges from a campaign attributed to the North Korean group APT37, also known as ScarCruft, documented in the early months of 2026.
What Happened
It all begins on November 10, 2025, with the creation of at least two Facebook profiles with common names and an ordinary appearance. These accounts are used not to attack directly, but to observe and build trust with potential targets — a process that experts call “social reconnaissance.” Once contact is established, communication shifts to more private platforms such as Messenger or Telegram.
At that point, the true deception mechanism comes into play: victims are sent PDF documents with a military and classified appearance, designed to look like authentic material of professional interest. To open these files, users are prompted to install an apparently legitimate program — a modified version of Wondershare PDFelement, a real and widely used PDF management software. That version, however, has been altered to contain malicious code.
Once the compromised program is installed, the attackers gain an access point to the victim’s system. Communications with control servers take place through a legitimate but compromised website and via Zoho WorkDrive, a regular cloud service, specifically to blend in with normal internet traffic. The end result is the installation of RokRAT, a surveillance program associated with APT37, capable of capturing screenshots, collecting system information, and receiving remote commands. The file used to deliver it is disguised as a simple JPG image.
The specific victims have not been made public, but the context and characteristics of the campaign suggest an interest in targets linked to South Korea or the military sector.
Why It Matters
This case shows how social manipulation techniques, combined with well-hidden technical tools, make attacks difficult to detect for both individuals and organizations. The use of legitimate cloud services and social profiles built up over time makes these campaigns particularly insidious. The potential impact includes the theft of sensitive information, prolonged access to systems, and espionage activities that are difficult to identify in time.
What Companies and Users Can Do
Anyone who receives contact requests from unknown profiles on social media — especially if accompanied by “classified” material or invitations to install software — should stop and verify. It is advisable to download programs only from official sources, keep systems updated, and report suspicious behavior to IT managers. Companies, for their part, should train staff on recognizing social engineering techniques.
Final Takeaways
- Cyber espionage campaigns often use social media as a first point of contact, not as a direct technical vector.
- Legitimate tools and trusted cloud services can be exploited to conceal malicious activity.
- User awareness remains one of the most effective defense tools against this type of threat.
Sources:
https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html
https://www.genians.co.kr/en/blog/threat_intelligence/pretexting
https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-april-13-2026
https://cyberpress.org/apt37-social-lure-campaign/
https://gbhackers.com/new-targeted-cyberattack/amp/
Source: Original article