APT37 Campaign: Social Engineering via Facebook & Tampered PDFelement Targets Defense Sector
North Korea-linked threat actor APT37 is conducting a sophisticated intrusion campaign that weaponizes Facebook and Telegram to deliver a tampered Wondershare PDFelement installer.
This attack chain enables stealthy access and exfiltration of sensitive data from defense-related organizations, demonstrating advanced social engineering and evasion techniques.
Multi-Platform Deception Attack Flow

The campaign initiates with highly targeted friend requests sent through fabricated North Korean Facebook accounts claiming origins in Pyongyang and Pyeongtaek. Attackers establish trust through one-on-one Messenger chats using tailored topics before coercing victims to migrate to “more secure” Telegram channels.
Under the pretext of sharing encrypted military documents, actors claim a specialized PDF viewer is required and push victims to install a tampered version of Wondershare PDFelement. The malicious package arrives as password-protected ZIP files via Telegram, containing counterfeit PDF viewers, decoy military PDFs, and Korean-language instructions using North Korean spelling markers like “콤퓨터” and “프로그람”.
Tampered PDFelement: Legitimate Installer, Malicious Entry Point
The attack hinges on a modified Wondershare PDFelement installer named “Wondershare_PDFelement_Installer(PDF_Security).exe”. While mimicking official naming conventions, the tampered version lacks legitimate digital signatures – a critical Indicator of Compromise (IoC) for defenders.

Internally, malicious actors preserve normal installer functionality while inserting ~2KB of shellcode into a PE code cave. This shellcode modifies the executable entry point to:
- Launch legitimate DISM.exe in suspended state
- Inject decrypted payloads via VirtualAllocEx/WriteProcessMemory
- Execute remote code before returning control to normal installer

Two-Stage Payload Delivery via Image Disguise
The shellcode contains a 51-byte XOR-encrypted blob that decodes to a C2 URL on a legitimate Japanese real estate service (“1288247428101.jpg”). Though appearing as an image request, the actual response serves as:
- A first XOR decryption layer using the leading byte
- Validation via x86 prologue bytes (55 8B)
- A second AES-256-CBC decryption using 4-byte key
- Reconstruction of fileless PE image for execution
RokRAT Backdoor with Cloud C2 Exfiltration

The final payload mirrors APT37’s RokRAT backdoor, collecting system reconnaissance data, executing commands, and capturing screenshots. Notable characteristics include:
- Document exfiltration (DOC, XLS, PDF, HWP)
- Audio recording (M4A, AMR)
- Command-and-control via Zoho WorkDrive OAuth2 APIs
- AES-256-CBC encrypted uploads
- Anti-detection tactics through numerous User-Agent strings
Critical Defense Requirements
This campaign reveals APT37’s continued evolution toward cloud-based, fileless implants. With heavy reliance on process injection, cloud C2, and image-disguised payloads, signature-based controls are insufficient. Organizations require behavior-based EDR monitoring for:
- Parent-child process chains involving DISM.exe
- Unsigned binaries masquerading as updates
- Suspicious OAuth2 interactions with cloud platforms
- XOR decryption patterns in memory
Attribution is supported by Korean-language decoys, synchronized Facebook account creation, and infrastructure overlaps with previous APT37 Zoho-abusing campaigns targeting government and defense sectors.