North Korea's APT37 — also tracked as ScarCruft — has retooled its social engineering playbook for Facebook. Threat researchers this month attributed a multi-stage campaign to the group in which operators approach targets by sending a friend request, build rapport over days or weeks, and eventually deliver a payload that installs RokRAT, a long-running remote access trojan in the APT37 arsenal.
It is a deeply unglamorous technique. It is also working.
The campaign structure
The operation is notable less for its malware than for its patience. Reported stages:
- Persona construction. Operators maintain Facebook profiles that look like journalists, researchers, or fellow professionals in the target's field — North Korean affairs, think tanks, policy shops, defense suppliers.
- Friend request. Sent cold. If accepted, the operator engages in normal-looking conversation on topics of mutual interest.
- Trust milestone. After a stretch of benign interaction, the operator proposes a collaboration — a draft report, an interview request, a shared document.
- Payload delivery. The "document" is delivered as a LNK or macro-laden file, often via an archive hosted on a cloud service the target already trusts.
- RokRAT deployment. On execution, a multi-stage loader retrieves RokRAT, which establishes C2 and quietly begins exfiltration.
Why it works: Every security training tells users to distrust unexpected emails from strangers. Almost none tells them to distrust a Facebook friend they have been chatting with for three weeks.
Who APT37 targets
Historically, ScarCruft has focused on South Korean government, defense, media, and NGOs working on North Korea. In 2025–2026 the target set has widened to include:
- Policy researchers and analysts in the US and Europe.
- Journalists covering North Korea, sanctions, and crypto-laundering.
- Defectors and human-rights activists.
- Supply-chain and financial targets adjacent to North Korean sanctions evasion.
If your organization employs regional experts, lobbyists, or reporters who could plausibly receive a "can we chat about your recent article" message from a stranger, you are inside the target population.
RokRAT in brief
RokRAT is not a new tool. It has been associated with APT37 since 2017 and has been continuously updated. Recent variants:
- Use cloud services (Dropbox, pCloud, Yandex) as C2, blending into normal business traffic.
- Include file exfiltration, screenshot capture, keylogging, and remote shell.
- Often arrive as shellcode loaded by a benign-looking host process to evade EDR heuristics.
Detection on endpoint alone is meaningful but insufficient — the high-signal moment to catch RokRAT is the initial delivery, and that signal is social-first, not technical-first.
Defensive response
For the security team
- Hunt for RokRAT IOCs published by CISA, NCSC, and vendor intel — domains, file hashes, and C2 behavior.
- Block execution of LNK files arriving via browser downloads on high-risk user groups.
- Monitor outbound traffic to consumer cloud-storage APIs from workstations that should not be using them.
- If you employ people who fit the target profile, brief them individually. Group training will not land.
For the individual target
- Treat every unsolicited friend request as untrusted for the lifetime of the relationship.
- Never open a file sent by a Facebook contact on a work device. The cost of asking them to email it to an address you trust is zero.
- Verify the person exists by a second channel — a colleague who knows them, their employer's actual website.
The uncomfortable truth: APT37's Facebook tradecraft succeeds because it exploits ordinary human sociability, not a software vulnerability. No patch fixes it. The defense is a target-population awareness program, not a control.
Why this matters beyond APT37
Social-graph targeting is no longer a nation-state curiosity. Ransomware affiliates, fraud crews, and extortion groups have all started running similar plays on LinkedIn, Discord, and Telegram, often enriched with AI-generated personas. If your threat model still treats "unsolicited email" as the only social engineering vector, it is already outdated.
Test Your Defenses Against Real Tradecraft
Lorikeet's penetration testing includes targeted social engineering assessments that mirror real nation-state and criminal tradecraft — so you find the gap before APT37 does.
