ACCORDING to the Genians Security Center (GSC), North Korea’s APT37 (ScarCruft) has launched a multi-stage social‑engineering campaign on Facebook to deliver a remote access trojan called RokRAT. The threat actor created two Facebook accounts, “richardmichael0828” and “johnsonsophia0414,” on 10 November 2025 and then moved the conversation to Telegram to push the attack, with targets identified and screened via location settings in Pyongyang and Pyongsong, North Korea.
Central to the operation is pretexting, steering victims to install a tampered Wondershare PDFelement PDF viewer that launches embedded shellcode to gain initial foothold, while the campaign also leverages legitimate but compromised infrastructure for command-and-control on a site tied to a Seoul-based real estate information service.
The payload is delivered as a seemingly harmless JPG image, and later communication with a C2 server uses the domain japanroom[.]com to fetch a second-stage payload; the malware also abuses Zoho WorkDrive as C2 to enable features such as screenshot capture and remote command execution. The article notes that RokRAT’s core functionality remains stable while its delivery and evasion chains evolve, per the GSC.