APT37 Uses Facebook, Telegram, and a Tampered Installer in New Targeted Intrusion Campaign

What happened

A North Korea-linked threat group known as APT37 launched a targeted intrusion campaign that used Facebook, Telegram, and a tampered software installer to compromise victims. The operation began with two Facebook accounts, “richardmichael0828” and “johnsonsophia0414,” which were used to send friend requests and build trust through one-on-one conversations before shifting discussion toward military weapons technology. Once interest was established, the attackers moved the exchange to Telegram and sent an encrypted ZIP archive named “m.zip” containing decoy military-themed PDFs, a fake user guide, and a modified Wondershare PDFelement installer. When the installer was run, embedded shellcode executed in the background, connected to attacker-controlled infrastructure, retrieved a second-stage payload disguised as a JPG image, and exfiltrated screenshots, documents, and audio files to Zoho WorkDrive.

Who is affected

The direct exposure affects carefully selected targets engaged through Facebook and Telegram under a military-themed pretext. The campaign appears aimed at individuals with interest in or access to military weapons information, and the malware was built to steal screenshots, documents, audio recordings, and other files from compromised Windows systems.

Why CISOs should care

This matters because the operation blends social engineering, trusted consumer platforms, a tampered legitimate installer, in-memory execution, and cloud-based exfiltration into one attack chain. It also shows how targeted campaigns can avoid traditional email-based detection by moving through social media and messaging apps while making malicious traffic look like normal cloud activity.

3 practical actions

1. Verify installer authenticity: Require software installers to be checked for valid digital signatures before execution, especially if they arrive through messaging platforms or compressed archives.
2. Watch for abnormal child processes: Monitor for installers spawning unexpected processes such as suspended instances of dism.exe or other signs of process injection and fileless execution.
3. Hunt for cloud-based exfiltration: Review outbound connections to services such as Zoho WorkDrive and other cloud platforms when suspicious social engineering activity or unauthorized file collection is suspected.

For more news about targeted malware campaigns and evolving attacker tradecraft, click Malware to read more.