RokRAT Malware

The North Korean threat group APT37 (also known as ScarCruft) has been linked to a sophisticated, multi-stage cyber campaign leveraging social engineering through Facebook. Attackers initiate contact by sending friend requests, gradually building trust before transforming the interaction into a malware delivery channel. This calculated manipulation ultimately enables the deployment of the remote access trojan RokRAT.

Weapon of Choice: The Evolution of RokRAT

RokRAT remains the primary malware used by the group and has evolved significantly over time, with adaptations for platforms such as macOS and Android. Its continued development highlights sustained operational investment.

The malware is capable of executing a broad spectrum of malicious activities, including:

• Credential harvesting and sensitive data exfiltration
• Screenshot capture and system reconnaissance
• Execution of commands and shellcode
• File and directory manipulation

To obscure its operations, earlier variants stored stolen data in MP3 file formats. Additionally, RokRAT disguises its command-and-control (C2) communications by routing data through legitimate cloud platforms such as Dropbox, Microsoft OneDrive, pCloud, and Yandex Cloud.

Trust as an Attack Vector: Social Media Manipulation

The campaign begins with the creation of fraudulent Facebook personas, reportedly based in Pyongyang and Pyongsong. These accounts are used to identify and assess potential victims. Once a connection is established, conversations shift to Messenger, where carefully selected topics are introduced to deepen trust and engagement.

A critical tactic employed is pretexting, convincing targets to install a specialized PDF viewer under the false premise that it is required to access encrypted military documents. The application provided is a modified version of Wondershare PDFelement, embedded with malicious shellcode. Upon execution, this installer initiates the compromise by granting attackers initial system access.

Layered Deception: Advanced Delivery and Evasion Techniques

The attack chain demonstrates a high degree of sophistication through the combination of multiple evasion strategies:

• Use of trojanized legitimate software to bypass suspicion
• Exploitation of compromised but trusted web infrastructure for C2 operations
• Disguising malicious payloads as benign files, such as JPG images

Notably, attackers leveraged a compromised website linked to a Japanese real estate service's Seoul branch to distribute commands and payloads. The second-stage payload appears as an innocuous image file, concealing the final RokRAT deployment.

Multi-Stage Execution: From Social Contact to Full Compromise

The attack sequence progresses through several coordinated stages. Threat actors created Facebook accounts named 'richardmichael0828' and 'johnsonsophia0414' on November 10, 2025. After establishing rapport, communication is redirected to Telegram, where victims receive a ZIP archive containing the malicious PDF viewer, decoy documents, and installation instructions.

Execution of the compromised installer triggers encrypted shellcode, which connects to a C2 domain and retrieves a secondary payload disguised as a JPG image file. This file ultimately delivers the full RokRAT malware.

Cloud-Based Command and Control: Blending into Legitimate Traffic

RokRAT further enhances its stealth by abusing Zoho WorkDrive as part of its C2 infrastructure, a method also observed in the 'Ruby Jumper' campaign identified in early 2026. Through this approach, the malware performs functions such as screenshot capture, remote command execution via system shells, host data collection, and security evasion.

Strategic Focus: Stability in Function, Innovation in Delivery

While RokRAT's core capabilities have remained largely consistent across operations, its delivery mechanisms and evasion tactics continue to evolve. This strategic emphasis demonstrates a deliberate focus on improving infection vectors and stealth techniques rather than altering the malware's foundational functionality.