A North Korean hacking group known as APT37, or ScarCruft, has launched a new campaign using social media to target victims, according to researchers at the Genians Security Center.
The attackers reportedly approached individuals on Facebook, sending friend requests to build trust. After establishing contact, they continued conversations on Messenger, later switching to Telegram, and then delivered malicious files.
The hackers used a tactic called “pretexting,” tricking victims into downloading a fake PDF viewer that was ostensibly needed to open encrypted military documents. In reality, the program was a modified version of Wondershare PDFelement that installed malware known as RokRAT. It allowed attackers to take control of the victim’s device, steal information, capture screenshots, and run commands remotely.
Researchers also found that the hackers used a legitimate compromised website to control the malware and send instructions. To avoid detection, the final malicious payload was hidden inside what appeared to be a harmless JPG image.