Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/APT37 Exploits Facebook, Telegram, and Malicious Installer in New Attacks
Threats

APT37 Exploits Facebook, Telegram, and Malicious Installer in New Attacks

Key Takeaways North Korean state-sponsored threat group APT37 is employing a sophisticated social engineering campaign. The attacks leverage Facebook, Telegram, and a malicious Wondershare PDFelement...

David kimber
David kimber
April 13, 2026 4 Min Read
29 0

Key Takeaways

  • North Korean state-sponsored threat group APT37 is employing a sophisticated social engineering campaign.
  • The attacks leverage Facebook, Telegram, and a malicious Wondershare PDFelement installer to compromise targets.
  • APT37 uses advanced fileless malware techniques, injecting shellcode into legitimate Windows processes and exfiltrating data via Zoho WorkDrive.
  • The campaign is characterized by its convincing mimicry of everyday digital interactions, making detection challenging.

APT37 Deploys Social Engineering and Fileless Malware in New Targeted Attacks

North Korea’s state-sponsored advanced persistent threat group, APT37, has launched a new, highly targeted intrusion campaign. This operation ingeniously combines social media engagement, encrypted messaging platforms, and a carefully modified software installer to infiltrate victim systems. The multi-stage attack is meticulously designed to appear legitimate, significantly increasing its stealth and effectiveness, as detailed in a recent report.

Table Of Content

  • Key Takeaways
  • APT37 Deploys Social Engineering and Fileless Malware in New Targeted Attacks
  • Social Media as the Initial Vector
  • Malicious Installer and Covert Delivery
  • Shellcode Execution and Process Injection
  • What You Should Do

Social Media as the Initial Vector

The offensive began on popular social networking sites. The threat actors established two distinct Facebook profiles, “richardmichael0828” and “johnsonsophia0414,” both created on November 10, 2025. These profiles misleadingly listed their locations as Pyongyang and Pyongsong, North Korea.

After initiating contact and building rapport with carefully selected individuals through friend requests, the attackers transitioned to one-on-one conversations via Facebook Messenger. During these exchanges, they steered discussions toward sensitive topics, specifically military weapons technology.

Once a target’s genuine interest was piqued, communication was migrated to Telegram, where the actual malicious content was delivered. Analysts at Genians Security Center identified this campaign as a pretexting-based attack. This social engineering technique involves crafting a plausible, false narrative to manipulate victims into performing specific actions.

Malicious Installer and Covert Delivery

The attackers purported to share encrypted PDF documents containing classified military weapon data, informing targets that a specialized viewer was required to access these files. This “viewer” was, in fact, a compromised Wondershare PDFelement installer. The malicious executable was delivered within an encrypted ZIP archive, named “m.zip,” which also contained decoy military-themed PDFs and a fabricated user guide to enhance its credibility.

The tampered installer bore a striking resemblance to the authentic Wondershare PDFelement software. However, a critical distinguishing factor was the absence of a valid digital signature, a clear indication of its modification. While the legitimate file is typically named “Wondershare_PDFelement_Installer.exe,” the malicious variant was cleverly renamed “Wondershare_PDFelement_Installer(PDF_Security).exe” to masquerade as an enhanced security version.

Upon execution, the installation process appeared to proceed normally. Covertly, however, embedded shellcode immediately launched in the background, establishing a connection to attacker-controlled infrastructure. This command-and-control (C2) communication was routed through the Seoul branch website of a Japanese real estate company, a tactic designed to blend into typical network traffic and evade detection.

The malware subsequently retrieved a second-stage payload, cleverly disguised as a JPG image, from the domain “japanroom[.]com.” Stolen data, encompassing screenshots, documents in formats such as DOC, XLS, PDF, and HWP, as well as audio recordings, was then exfiltrated to Zoho WorkDrive cloud storage using hardcoded OAuth2 tokens. This method made the outbound traffic virtually indistinguishable from legitimate cloud activity.

Shellcode Execution and Process Injection

The most technically advanced aspect of this attack lies in the shellcode embedded within the modified installer. This was achieved through PE patching, also known as code cave injection. The legitimate installer’s original entry point at memory address 0x00114103 was overwritten with a new entry point at 0x0015A0E0. This new address resided within an unused region near the end of the .text code section, where approximately 2 KB of malicious shellcode had been stealthily inserted.

When the installer was executed, control flow immediately transferred to this injected shellcode. The shellcode then created a suspended instance of `dism.exe`, a legitimate Windows utility, using the `CREATE_SUSPENDED` flag. The attacker’s subsequent payload was decrypted using a single-byte XOR operation with the key `0x6D` and then written directly into `dism.exe`’s memory via `WriteProcessMemory`.

A remote thread was subsequently initiated to execute the injected code. Crucially, no malicious file was ever written to disk during this stage, characterizing it as a fileless attack that poses a significant challenge for conventional antivirus solutions. Following the completion of all malicious operations, execution seamlessly returned to the normal PDFelement installation process, leaving the victim with no apparent indication of compromise.

What You Should Do

  • Verify Digital Signatures: Always inspect the digital signatures of all software installers before execution, especially for programs obtained outside official vendor channels.
  • Source Confirmation: Avoid installing software received via messaging platforms without independently verifying its authenticity and downloading it directly from the official vendor’s website.
  • Enhanced Endpoint Detection: Implement and configure endpoint detection and response (EDR) solutions to monitor and flag abnormal child processes spawned by installers, particularly those involving legitimate system utilities like `dism.exe`.
  • Monitor Cloud Service Connections: Keep a vigilant eye on unexpected or unusual outbound connections to cloud services, such as Zoho WorkDrive, particularly from new or unfamiliar applications.
  • Security Awareness Training: Conduct regular and comprehensive security awareness training for all personnel, with a specific focus on identifying and responding to social engineering attacks that originate through social networks rather than traditional email vectors.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarePatchSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Windows 11 Updates Break Push Button Reset Feature

Next Post

Basic-Fit Data Breach Exposes Millions of Users

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us