A sophisticated cyberattack campaign orchestrated by APT37, a North Korea-linked state-sponsored threat group, has been uncovered, leveraging social media platforms, encrypted messaging applications, and a cleverly tampered software installer to breach targeted systems. This new intrusion strategy highlights the increasing use of familiar digital tools by advanced persistent threats (APTs) to circumvent traditional security measures and achieve their objectives.
The campaign, detailed by cybersecurity researchers, initiated on social networks where malicious actors created seemingly innocuous Facebook profiles. These profiles were used to engage with carefully selected individuals, building rapport before transitioning to the delivery of malicious payloads. The attackers’ ability to mimic everyday communication patterns makes this campaign particularly concerning for security professionals.
APT37 Abuses Facebook, Telegram, and Tampered Installer in Targeted Intrusion
The APT37 campaign began with the creation of two Facebook accounts, “richardmichael0828” and “johnsonsophia0414,” registered in November 2025 with profile locations indicating North Korea. Researchers from Genians Security Center identified this as a pretexting-based attack, a social engineering tactic where attackers craft a believable scenario to manipulate victims into taking a specific action. After extending friend requests and engaging in one-on-one Messenger conversations, the threat actor steered discussions towards sensitive military weapons technology. Once a sufficient level of interest was established, communication was moved to Telegram, where the actual malicious content was delivered.
During these Telegram conversations, the attacker purported to share encrypted PDF documents containing classified military weapon data. To open these files, victims were instructed that a special viewer was required. This purported viewer was, in fact, a malicious installer for Wondershare PDFelement, a legitimate PDF editing software. The tampered installer was delivered within an encrypted ZIP archive named “m.zip,” which also contained seemingly legitimate decoy PDFs and a fake user guide to enhance its credibility.
The tampered installer, while closely resembling the official Wondershare PDFelement software, lacked a valid digital signature, a critical indicator of its modified nature. The malicious file was also cleverly disguised with a filename, “Wondershare_PDFelement_Installer(PDF_Security).exe,” suggesting a security-enhanced version of the software, intended to bypass victim suspicion. Upon execution, the installer appeared to proceed with a normal installation process. However, in the background, embedded shellcode was immediately activated.
This shellcode established a connection to attacker-controlled infrastructure. To blend in with legitimate network traffic and evade detection, command-and-control (C2) communications were routed through the Seoul branch website of a Japanese real estate company. The malware then retrieved a second-stage payload, disguised as a JPG image file, from the domain “japanroom[.]com.” This tactic of disguising malicious payloads within seemingly innocuous file types is a common technique used by APT groups to evade security software.
Shellcode Execution and Process Injection Tactics
A particularly sophisticated aspect of this attack involved the execution of shellcode through process injection, a fileless technique designed to leave minimal traces on the victim’s system. The shellcode was embedded into the tampered installer via PE patching, also known as code cave injection. The legitimate installer’s original entry point was altered to direct execution flow to approximately 2 KB of malicious shellcode discreetly inserted into an unused section of the program’s code segment. This method bypasses the need to write malicious files directly to disk, making it harder to detect by traditional antivirus solutions.
Upon execution, the shellcode created a suspended instance of “dism.exe,” a legitimate Windows utility, using the CREATE_SUSPENDED flag. The attacker’s payload was then decrypted using a single-byte XOR operation with the key 0x6D and written into the memory space of the suspended “dism.exe” process using the WriteProcessMemory function. A remote thread was then initiated, executing the injected code. Once all malicious actions were completed, the execution flow seamlessly returned to the legitimate PDFelement installation process, leaving the target unaware of the underlying compromise.
Stolen data, including sensitive screenshots, documents in various formats (DOC, XLS, PDF, HWP), and audio recordings, was exfiltrated to Zoho WorkDrive cloud storage. The use of hardcoded OAuth2 tokens for this data exfiltration ensured that the outbound traffic appeared indistinguishable from legitimate cloud storage activity. This method of data exfiltration further complicates detection by security monitoring systems.
Organizations handling defense or government-related materials should implement stringent verification processes for all software installers, ensuring they possess valid digital signatures. Additionally, exercising caution with software received through messaging platforms and confirming official sources before installation is crucial. Deploying endpoint detection and response (EDR) solutions capable of flagging abnormal child processes spawned by installers and monitoring for unexpected outbound connections to cloud services are essential defensive measures. Regular security awareness training for employees, specifically addressing social engineering tactics employed on social networks, remains a vital component of a robust cybersecurity strategy.