Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks
Essential information
- Published
- 14/04/2026 10:55
- Modified
- 14/04/2026 09:52
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- apt37 facebook reconnaissance installer tampering north korea pretexting process hollowing rokrat shellcode injection social engineering zoho workdrive c2
- Tags
- 2026-04-14 apt37 facebook reconnaissance installer tampering north korea pretexting process-hollowing rokrat shellcode injection social engineering zoho workdrive c2
- Related entities
- 11 indicators, 11 observables, 1 intrusion sets (apt), 21 techniques (mitre), 1 malware, 1 others
Description
APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.