APT37 Campaign: Social Engineering via Facebook & Tampered PDFelement Targets Defense Sector

North Korea-linked threat actor APT37 is conducting a sophisticated intrusion campaign that weaponizes Facebook and Telegram to deliver a tampered Wondershare PDFelement installer.

This attack chain enables stealthy access and exfiltration of sensitive data from defense-related organizations, demonstrating advanced social engineering and evasion techniques.

Multi-Platform Deception Attack Flow

APT37 Attack Flow Visualization
General Attack Sequence (Source: Genians Security Center)

The campaign initiates with highly targeted friend requests sent through fabricated North Korean Facebook accounts claiming origins in Pyongyang and Pyeongtaek. Attackers establish trust through one-on-one Messenger chats using tailored topics before coercing victims to migrate to “more secure” Telegram channels.

Under the pretext of sharing encrypted military documents, actors claim a specialized PDF viewer is required and push victims to install a tampered version of Wondershare PDFelement. The malicious package arrives as password-protected ZIP files via Telegram, containing counterfeit PDF viewers, decoy military PDFs, and Korean-language instructions using North Korean spelling markers like “콤퓨터” and “프로그람”.

Tampered PDFelement: Legitimate Installer, Malicious Entry Point

The attack hinges on a modified Wondershare PDFelement installer named “Wondershare_PDFelement_Installer(PDF_Security).exe”. While mimicking official naming conventions, the tampered version lacks legitimate digital signatures – a critical Indicator of Compromise (IoC) for defenders.

Official PDFelement Installer Page
Official PDFelement Website (Source: Genians)

Internally, malicious actors preserve normal installer functionality while inserting ~2KB of shellcode into a PE code cave. This shellcode modifies the executable entry point to:

  • Launch legitimate DISM.exe in suspended state
  • Inject decrypted payloads via VirtualAllocEx/WriteProcessMemory
  • Execute remote code before returning control to normal installer
Tampered vs Legitimate Installer Entry Point
Entry Point Comparison (Source: Genians)

Two-Stage Payload Delivery via Image Disguise

The shellcode contains a 51-byte XOR-encrypted blob that decodes to a C2 URL on a legitimate Japanese real estate service (“1288247428101.jpg”). Though appearing as an image request, the actual response serves as:

  1. A first XOR decryption layer using the leading byte
  2. Validation via x86 prologue bytes (55 8B)
  3. A second AES-256-CBC decryption using 4-byte key
  4. Reconstruction of fileless PE image for execution

RokRAT Backdoor with Cloud C2 Exfiltration

RokRAT Payload Comparison
Payload Similarity to December 2025 RokRAT Variant (Source: Genians)

The final payload mirrors APT37’s RokRAT backdoor, collecting system reconnaissance data, executing commands, and capturing screenshots. Notable characteristics include:

  • Document exfiltration (DOC, XLS, PDF, HWP)
  • Audio recording (M4A, AMR)
  • Command-and-control via Zoho WorkDrive OAuth2 APIs
  • AES-256-CBC encrypted uploads
  • Anti-detection tactics through numerous User-Agent strings

Critical Defense Requirements

This campaign reveals APT37’s continued evolution toward cloud-based, fileless implants. With heavy reliance on process injection, cloud C2, and image-disguised payloads, signature-based controls are insufficient. Organizations require behavior-based EDR monitoring for:

  • Parent-child process chains involving DISM.exe
  • Unsigned binaries masquerading as updates
  • Suspicious OAuth2 interactions with cloud platforms
  • XOR decryption patterns in memory

Attribution is supported by Korean-language decoys, synchronized Facebook account creation, and infrastructure overlaps with previous APT37 Zoho-abusing campaigns targeting government and defense sectors.

Related Articles

Back to top button