APT37 Exploits Facebook, Telegram, and Malicious Installer in New Attacks
Key Takeaways North Korean state-sponsored threat group APT37 is employing a sophisticated social engineering campaign. The attacks leverage Facebook, Telegram, and a malicious Wondershare PDFelement...
Key Takeaways
- North Korean state-sponsored threat group APT37 is employing a sophisticated social engineering campaign.
- The attacks leverage Facebook, Telegram, and a malicious Wondershare PDFelement installer to compromise targets.
- APT37 uses advanced fileless malware techniques, injecting shellcode into legitimate Windows processes and exfiltrating data via Zoho WorkDrive.
- The campaign is characterized by its convincing mimicry of everyday digital interactions, making detection challenging.
APT37 Deploys Social Engineering and Fileless Malware in New Targeted Attacks
North Korea’s state-sponsored advanced persistent threat group, APT37, has launched a new, highly targeted intrusion campaign. This operation ingeniously combines social media engagement, encrypted messaging platforms, and a carefully modified software installer to infiltrate victim systems. The multi-stage attack is meticulously designed to appear legitimate, significantly increasing its stealth and effectiveness, as detailed in a recent report.
Table Of Content
Social Media as the Initial Vector
The offensive began on popular social networking sites. The threat actors established two distinct Facebook profiles, “richardmichael0828” and “johnsonsophia0414,” both created on November 10, 2025. These profiles misleadingly listed their locations as Pyongyang and Pyongsong, North Korea.
After initiating contact and building rapport with carefully selected individuals through friend requests, the attackers transitioned to one-on-one conversations via Facebook Messenger. During these exchanges, they steered discussions toward sensitive topics, specifically military weapons technology.
Once a target’s genuine interest was piqued, communication was migrated to Telegram, where the actual malicious content was delivered. Analysts at Genians Security Center identified this campaign as a pretexting-based attack. This social engineering technique involves crafting a plausible, false narrative to manipulate victims into performing specific actions.
Malicious Installer and Covert Delivery
The attackers purported to share encrypted PDF documents containing classified military weapon data, informing targets that a specialized viewer was required to access these files. This “viewer” was, in fact, a compromised Wondershare PDFelement installer. The malicious executable was delivered within an encrypted ZIP archive, named “m.zip,” which also contained decoy military-themed PDFs and a fabricated user guide to enhance its credibility.
The tampered installer bore a striking resemblance to the authentic Wondershare PDFelement software. However, a critical distinguishing factor was the absence of a valid digital signature, a clear indication of its modification. While the legitimate file is typically named “Wondershare_PDFelement_Installer.exe,” the malicious variant was cleverly renamed “Wondershare_PDFelement_Installer(PDF_Security).exe” to masquerade as an enhanced security version.
Upon execution, the installation process appeared to proceed normally. Covertly, however, embedded shellcode immediately launched in the background, establishing a connection to attacker-controlled infrastructure. This command-and-control (C2) communication was routed through the Seoul branch website of a Japanese real estate company, a tactic designed to blend into typical network traffic and evade detection.
The malware subsequently retrieved a second-stage payload, cleverly disguised as a JPG image, from the domain “japanroom[.]com.” Stolen data, encompassing screenshots, documents in formats such as DOC, XLS, PDF, and HWP, as well as audio recordings, was then exfiltrated to Zoho WorkDrive cloud storage using hardcoded OAuth2 tokens. This method made the outbound traffic virtually indistinguishable from legitimate cloud activity.
Shellcode Execution and Process Injection
The most technically advanced aspect of this attack lies in the shellcode embedded within the modified installer. This was achieved through PE patching, also known as code cave injection. The legitimate installer’s original entry point at memory address 0x00114103 was overwritten with a new entry point at 0x0015A0E0. This new address resided within an unused region near the end of the .text code section, where approximately 2 KB of malicious shellcode had been stealthily inserted.
When the installer was executed, control flow immediately transferred to this injected shellcode. The shellcode then created a suspended instance of `dism.exe`, a legitimate Windows utility, using the `CREATE_SUSPENDED` flag. The attacker’s subsequent payload was decrypted using a single-byte XOR operation with the key `0x6D` and then written directly into `dism.exe`’s memory via `WriteProcessMemory`.
A remote thread was subsequently initiated to execute the injected code. Crucially, no malicious file was ever written to disk during this stage, characterizing it as a fileless attack that poses a significant challenge for conventional antivirus solutions. Following the completion of all malicious operations, execution seamlessly returned to the normal PDFelement installation process, leaving the victim with no apparent indication of compromise.
What You Should Do
- Verify Digital Signatures: Always inspect the digital signatures of all software installers before execution, especially for programs obtained outside official vendor channels.
- Source Confirmation: Avoid installing software received via messaging platforms without independently verifying its authenticity and downloading it directly from the official vendor’s website.
- Enhanced Endpoint Detection: Implement and configure endpoint detection and response (EDR) solutions to monitor and flag abnormal child processes spawned by installers, particularly those involving legitimate system utilities like `dism.exe`.
- Monitor Cloud Service Connections: Keep a vigilant eye on unexpected or unusual outbound connections to cloud services, such as Zoho WorkDrive, particularly from new or unfamiliar applications.
- Security Awareness Training: Conduct regular and comprehensive security awareness training for all personnel, with a specific focus on identifying and responding to social engineering attacks that originate through social networks rather than traditional email vectors.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.