[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:north-korea-s-apt37-uses-facebook-social-engineering-to-deliver-rokrat-malware-mnyrbkd1":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":12,"action_required":15,"article_ids":16,"ioc_summary":18,"source_urls":19,"status":21,"expires_at":22,"created_at":23,"updated_at":24,"articles":25},"66c2a7d0-140d-4866-a818-43ed8ba63d70","North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware","north-korea-s-apt37-uses-facebook-social-engineering-to-deliver-rokrat-malware-mnyrbkd1","APT37 is conducting active social engineering campaigns via Facebook and Telegram to deliver RokRAT, a fully-featured remote access trojan. Targets receive friend requests followed by trojanized Wondershare PDFelement installers that execute shellcode and establish persistence. RokRAT abuses Zoho WorkDrive for C2 and can capture screenshots, execute arbitrary commands, and disable security tools.","high","advisory",[],[13,14],"Wondershare PDFelement","Zoho WorkDrive","Hunt for PDFelement installer executions and suspicious Zoho WorkDrive API calls in your environment. Block known RokRAT IOCs and monitor for unsigned shellcode execution from PDF applications. Educate users on social engineering via Facebook\u002FTelegram and enforce conversation verification before accepting file transfers.",[17],"b58e5297-83ea-4608-87ae-c441f3fde0f5",null,[20],"https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fnorth-koreas-apt37-uses-facebook-social.html","archived","2026-04-16T15:08:54.611+00:00","2026-04-14T15:09:03.160366+00:00","2026-04-16T15:09:14.312876+00:00",[26],{"id":17,"title":6,"url":20}]