North Korean Hackers Use Facebook to Spread RokRAT Malware

Robert Moore · 2026-04-13

You probably think of Facebook as a place to catch up with old friends, share vacation photos, or argue about politics. But for North Korean hackers, it's a hunting ground. A state-sponsored group known as APT37 (also called ScarCruft) has been running a clever social engineering campaign on the platform. They approach targets, add them as friends, and slowly build trust. Once the connection feels real, they turn that trust into a weapon—delivering a nasty piece of malware called RokRAT. This isn't some random script kiddie operation. These are sophisticated threat actors working for the North Korean government. And they're using a tool you probably use every day. ### How the Attack Works The attackers start by creating fake Facebook profiles that look legitimate. They might use stolen photos, real-sounding bios, and mutual friends to make the accounts believable. Then they reach out to specific targets—often people working in cybersecurity, government, or journalism. Once you accept their friend request, they don't strike immediately. Instead, they engage in normal conversation. They might comment on your posts, share memes, or ask about your work. The goal is to make you feel comfortable. After enough time passes, they send you a link or a file. Maybe it's a PDF about a topic you care about, or a link to what looks like a news article. But when you click, RokRAT starts installing on your machine.  ### What Is RokRAT? RokRAT is a remote access trojan—basically a backdoor that gives the attacker full control over your computer. Once it's in, they can: - Steal your files and documents - Record your keystrokes - Take screenshots - Access your webcam and microphone - Move laterally across your network This isn't just about stealing passwords. It's about espionage. APT37 has been linked to campaigns targeting South Korean think tanks, U.S. defense contractors, and even journalists covering North Korea. ### Why Facebook Works So Well for This Think about it: when you get a friend request from someone you don't know, you might hesitate. But if that person has mutual friends and seems normal, you're more likely to accept. That's exactly what these hackers count on. "The threat actor used two Facebook accounts to approach targets," researchers noted. By using multiple profiles, they can cross-reference information and tailor their approach. They might even get one account to vouch for another. It's a slow, patient game. But the payoff is huge. ### How to Protect Yourself You don't need to be a cybersecurity expert to stay safe. Here are some practical steps: - Don't accept friend requests from strangers, even if they have mutual friends - Check profile history: fake accounts often have few posts or recent creation dates - Be suspicious of unsolicited links or files, even from people you know - Use strong, unique passwords and enable two-factor authentication - Keep your software updated, especially your browser and operating system If you work in a sensitive field, consider using an antidetect browser. These tools mask your digital fingerprint, making it harder for attackers to track you across the web. They can also help you manage multiple identities safely—which is exactly what you'd need if you're doing undercover research or protecting your privacy. ### The Bigger Picture This campaign is a reminder that social engineering is still one of the most effective attack methods. No amount of fancy tech can protect you if you let the wrong person into your circle. APT37 isn't going away. They're constantly refining their tactics, finding new ways to exploit trust. But by staying aware and taking basic precautions, you can make yourself a much harder target. Stay sharp out there. And maybe think twice before accepting that next friend request.