APT37 Use False Profiles and a PDF Viewer Handled to Infiltered with RokRAT

A recent campaign attributed to the North Korean group known as APT37 (also called ScarCruft) replaces on the table how attackers combine classical social engineering with increasingly sophisticated techniques to introduce malware into networks and devices. According to a technical analysis published by the South Korean firm Genians, operators used Facebook accounts to create a trust relationship with their victims and turn that interaction into the delivery path of a remote-access Trojan known as RokRAT. You can consult the company behind the analysis on its official website: Genians Security Center.

The input mechanism was not a direct explosion or a mass mail, but rather more social and directed: the attackers created false profiles that pretended proximity and issues of interest to the victims, and then moved the conversation to private messaging applications where it was easier to exchange files. The tactic of building a credible story - what in cybersecurity is called pretexting - allowed them to convince the objectives to install a PDF viewer supposedly necessary to open encrypted military documents. Actually, that "viewer" was a manipulated version of legitimate software.

The piece that opened the technical door to the engagement was a broken installer of a real program to read and edit PDFs. In this case it was an adulterated variant of Wondershare PDFemcent, a known commercial package that the victim would perceive as harmless. The modified installer executed malicious code embedded at the start, which provided the attackers with a first persistent access to the affected machine. If you want to see the legitimate software mentioned, it is available on the official website: Wondershare PDFelement.

A technical curiosity of the campaign is the deliberate use of legitimate infrastructure committed to managing the command and control channel (C2). According to the investigation, operators took advantage of a real website associated with a real estate information service to issue instructions and download additional payloads. In addition, the second stage of the infection chain did not arrive as a conventional executable, but was camouflaged in a JPG file containing the final load of RokRAT. This strategy takes advantage of confidence in legitimate resources and the camouflage of extensions to make automatic detection difficult.

RokRAT is not new in the arsenals of North Korean actors and has already been observed in previous operations. External researchers have documented how this type of malware reuses central capabilities but continuously modifies its delivery and evasion methods. In previous campaigns it has been described that malware uses legitimate cloud services as channels to hide its control traffic, which helps to avoid traditional controls. A detailed example of using cloud services as a C2 vector was documented by Zscaler ThreatLabz in a research published in 2026, which analyzed similar techniques and highlighted the use of legitimate platforms to camouflage malicious communications; you can review the Zscaler research file here: Zscaler ThreatLabz.

From the operational point of view, the attackers followed a deliberate flow: identification and screening of targets through profiles with false geolocation, building of confidence by messaging, delivery of a compressed file (ZIP) with instructions and a handheld installer, execution of the embedded code that contacts the C2 server and finally download the final payload masked as an image. The persistence and capabilities of the Trojan include screen capture, remote command execution (e.g. using cmd.exe), system information collection and techniques to try to evade certain security products that may be in the endpoint. To give context about the popularity of some solutions and their presence in the market, Qihoo 360 offers a product known as 360 Total Security: 360 Total Security, although attackers always try ways to mockery specific defenses.

This incident again illustrates several important lessons. First, using legitimate software as decoy forces organizations and users to distrust even installers that seem to come from known brands. Secondly, the abuse of legitimate infrastructure (committed websites or cloud services) complicates detection, because network traffic may seem normal. And third, the attackers place special emphasis on the human phase of the attack: without the initial deception there would be no execution of the final code.

To minimize risk it is recommended to deploy technical and educational controls: always check the source of files and links, prefer official distribution channels for the software, keep the systems up to date and limit the automatic execution of installers received by messaging. In corporate environments, network segmentation, outgoing traffic inspection and file blocking with suspicious extensions can reduce the scope of an infection. It is also important to detect and monitor abnormal behaviors, such as processes that take screenshots or unusual invocation of cmd.exe, and to have clear procedures to isolate committed equipment and perform forensic analysis.

If you are interested in deepening the phenomenon of attackers who pose as credible actors and the tools they use, the pages of suppliers and research centres publish useful analyses and guides. In addition to the links already mentioned, storage platforms and cloud collaboration as Zoho WorkDrive Sometimes they are exploited by malicious actors, so their use in a C2 context deserves attention from security teams.

In short, what stands out from this operation attributed to APT37 is not so much the novelty of malware, but the refined mix of human deception, legitimate software manipulation and reliable infrastructure abuse. This combination makes the reactive defenses insufficient: the best response is a policy that a precise technology with continuous training and procedures that makes difficult the first click that opens the door to the attacker.