North Korean APT37 Uses Facebook to Deliver RokRAT Malware

SEOUL. North Korean state-sponsored hackers have begun using Facebook's social networking features to deliver malware to targets, according to security researchers tracking the group known as APT37 or ScarCruft. The threat actors approached targets on Facebook, friended them, and built trust before delivering a remote access trojan called RokRAT. The campaign represents an evolution in tactics for the group, which has historically relied on spear-phishing emails. APT37 used two fake Facebook personas to establish rapport with potential victims over extended periods before sharing malicious documents. Once downloaded, these documents deployed RokRAT, which can capture screenshots, record keystrokes, and exfiltrate files. The group has targeted organizations in South Korea, Japan, and Vietnam, focusing on government agencies, defense contractors, and human rights organizations. Security analysts say the Facebook campaign demonstrates increasing sophistication in the group's social engineering capabilities. The malware communicates with command-and-control servers using cloud-based infrastructure, making detection more difficult. RokRAT has been associated with APT37 since at least 2017 and remains under active development. Researchers advise organizations to train employees about the risks of accepting connection requests from unknown individuals on social platforms, even when profiles appear legitimate. The Hacker News first reported the campaign.