APT37 Leverages Facebook, Telegram, and Tampered PDFelement Installer in Targeted Cyber Espionage Campaign North Korea-linked threat group APT37 has launched a sophisticated cyber espionage campaign, abusing Facebook, Telegram, and a trojanized Wondershare PDFelement installer to infiltrate defense-related targets and exfiltrate sensitive data. The operation demonstrates the group’s evolving social engineering tactics and evasion techniques, bypassing traditional signature-based defenses. ### Attack Flow and Tactics The campaign begins with Facebook friend requests from two accounts impersonating individuals in Pyongyang and Pyeongtaek, North Korea, used to identify and vet targets. After establishing trust via one-on-one Messenger chats, the attackers shift conversations to Telegram, claiming to share encrypted military documents that require a "dedicated PDF viewer." Victims receive a password-protected ZIP file (e.g., m.zip) containing: - A fake PDF viewer executable (a modified Wondershare PDFelement installer) - Military-themed decoy PDFs - A Korean-language instructions file with North Korean spelling variations (e.g., "콤퓨터," "프로그람") The tampered installer, named Wondershare_PDFelement_Installer(PDF_Security).exe, mimics the legitimate version but lacks a valid Wondershare digital signature, serving as a key indicator of compromise (IoC). While the installer appears functional, its entry point is hijacked shellcode injected into a code cave redirects execution to malicious routines before resuming normal installation. ### Malicious Execution Chain 1. Shellcode Execution: The injected code resolves APIs via PEB-based hash routines, launches dism.exe in a suspended state, and injects a decrypted payload into its memory using VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. 2. C2 Communication: The shellcode retrieves a second-stage payload from a Japanese real estate website (disguised as a .jpg file). The response is XOR-encrypted, requiring two decryption passes first validating the payload with a standard x86 function prologue (55 8B), then reconstructing a PE image in memory with stripped MZ/PE headers. 3. RokRAT Backdoor Deployment: The final payload, resembling APT37’s RokRAT malware, conducts system reconnaissance, captures screenshots, and exfiltrates files (DOC, XLS, PDF, HWP, M4A, AMR). It abuses Zoho WorkDrive’s OAuth2 APIs for command-and-control (C2), blending with legitimate traffic using hardcoded client IDs, secrets, and refresh tokens. ### Attribution and Evasion Techniques The campaign aligns with APT37’s known tradecraft, including: - North Korean-language decoys and spelling patterns - Abuse of Zoho WorkDrive for C2 (previously observed in 2025) - Fileless execution and multi-stage XOR encryption - Process injection into signed binaries (dism.exe) to evade detection The group’s tactics tampered installers, cloud-based C2, and image-disguised payloads highlight the limitations of signature-based defenses, emphasizing the need for behavior-based EDR monitoring parent-child process chains, unsigned binaries, and anomalous dism.exe activity. The operation underscores APT37’s continued focus on defense and military targets, leveraging social engineering, legitimate platforms, and stealthy malware delivery to maintain persistence and exfiltrate sensitive data.