North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware

APT37 is conducting active social engineering campaigns via Facebook and Telegram to deliver RokRAT, a fully-featured remote access trojan. Targets receive friend requests followed by trojanized Wondershare PDFelement installers that execute shellcode and establish persistence. RokRAT abuses Zoho WorkDrive for C2 and can capture screenshots, execute arbitrary commands, and disable security tools.

HIGHAdvisoryApr 14, 2026

Action required

Hunt for PDFelement installer executions and suspicious Zoho WorkDrive API calls in your environment. Block known RokRAT IOCs and monitor for unsigned shellcode execution from PDF applications. Educate users on social engineering via Facebook/Telegram and enforce conversation verification before accepting file transfers.

Affected products

Wondershare PDFelementZoho WorkDrive

Linked articles

North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware

Source links

https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html