Lead Story | Active — Nation-State Campaign (DPRK) | Remote Work · Academia · Defence · Enterprise |
|
APT37 Is Friend-Requesting Your Employees. The Malware Arrives Three Conversations Later.
North Korea’s ScarCruft built fake Facebook identities, spent weeks earning trust, then moved targets to Telegram and delivered a trojanized PDF app. The payload: RokRAT, hidden inside a JPG, calling home through Zoho WorkDrive.
This campaign started months before any malware moved. APT37 (also known as ScarCruft), a threat actor attributed to North Korea’s intelligence services, created two Facebook accounts — both on November 10, 2025, both with locations set to North Korean cities — and began sending friend requests to professionals in defence, technology, and academia. The operators exchanged small talk over Facebook Messenger for weeks, building the kind of familiarity that makes a subsequent request feel reasonable. When the relationship was warmed, they shifted the conversation to Telegram — presented as more secure — and under the pretext of sharing encrypted military weapons documents, told the target that a dedicated PDF viewer was required. That request is the entire attack. By the time the ZIP file arrived, the trust had already been built across dozens of interactions. The target installed the software themselves.
The ZIP contained a trojanized Wondershare PDFelement installer. On execution, shellcode contacted a C2 server and downloaded what appeared to be a JPG image — the final RokRAT payload concealed inside it. RokRAT captures desktop screenshots at regular intervals, executes arbitrary commands via cmd.exe, enumerates connected drives, queries ipinfo.io for the host’s public IP and geolocation, and exfiltrates documents (DOC, XLS, PPT, PDF, TXT, HWP) and smartphone audio files (.M4A, .AMR) — all AES-256-CBC encrypted — to Zoho WorkDrive via hardcoded OAuth2 credentials. The malware disguises itself as OfficeUpdate.exe, checks for Qihoo 360 Security, and rotates User-Agent strings to blend C2 traffic into normal browser behaviour. Genians, whose researchers analysed the campaign, attributed it to APT37 based on Korean-language markers, infrastructure overlaps with prior ScarCruft operations, and the group’s documented history of Zoho WorkDrive C2 abuse.
→ Key Takeaway The payload is the last step, not the first. Train employees to treat any unsolicited social media connection — especially one that quickly escalates to a “more secure” channel or requests software installation — as a red flag regardless of how credible the persona seems. Brief remote workers specifically: digital nomads who actively build online professional networks are the surface area APT37 is designed to find. For detection: monitor for cmd.exe spawned from unexpected parent processes, outbound queries to ipinfo.io from workstations, and anomalous high-volume uploads to cloud storage platforms including Zoho WorkDrive. |
Quick Hits
| 01 |
SonicWall SMA1000 Patches a SQL Injection That Lets Read-Only Admins Become Full Admins — Plus SSL VPN Credential Enumeration and TOTP Bypass
SonicWall released patches for four vulnerabilities in its SMA1000 series remote access appliances. The most significant is CVE-2026-4112 (CVSS 7.2 High): a SQL injection flaw in the management interface that allows an authenticated attacker with read-only administrator credentials to escalate to full primary administrator. There are no workarounds — patching is the only mitigation. Three additional flaws in the same release cover SSL VPN credential enumeration (allowing unauthenticated remote attackers to confirm whether specific usernames are valid) and TOTP authentication bypass. For organizations that deploy SMA1000 as the remote access gateway for travelling employees, the credential enumeration flaw is the one to prioritize: a valid username is the first step in a targeted access campaign. Patched versions: platform-hotfix 12.4.3-03387 and 12.5.0-02624 or later. Singapore’s Cyber Security Agency issued an advisory. No exploitation confirmed in wild. SecurityWeek →
| High — CVSS 7.2 | Remote Access · Enterprise |
|
CVE Watch
|
CVE Watch
Palo Alto Cortex XSOAR and XSIAM: Forged Tokens Give Unauthenticated Attackers Access to Your SOC
Security operations platforms are becoming targets in their own right. CVE-2026-0234 (CVSS 9.2, CWE-347 Improper Verification of Cryptographic Signature) affects the Microsoft Teams integration in Cortex XSOAR and Cortex XSIAM, versions 1.5.0 through 1.5.51. The integration accepts incoming messages from Teams but fails to verify that the cryptographic signature on those messages is genuine. An attacker who can send a crafted message to the integration endpoint can present a forged signature and be treated as a trusted Teams sender — without valid credentials and without prior access to the network. From that position, the attacker can access confidential incident data and manipulate active security playbooks. The consequence is a defensive platform turned against its own team. No exploitation has been confirmed in the wild. Patch by upgrading the Microsoft Teams Marketplace integration to version 1.5.52 or later — no workaround exists.
| Vendor: Palo Alto Networks (Cortex) · CVE: CVE-2026-0234 · CVSS: 9.2 Critical · Affected: Cortex XSOAR / XSIAM Teams integration v1.5.0–1.5.51 · Patch: v1.5.52 or later · Exploitation: Not confirmed in wild |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — DE.CM — Detect: Continuous Monitoring
RokRAT Announces Itself. The Question Is Whether Anyone Is Listening.
DE.CM-09 under NIST CSF 2.0 requires that computing hardware, software, runtime environments, and their data are monitored to find potentially adverse events. DE.CM-01 covers network traffic monitoring for the same purpose. APT37’s RokRAT produces detectable signals on both layers — if monitoring is actually configured to catch them. On the endpoint: cmd.exe with an unexpected parent process (e.g. spawned from what presents as OfficeUpdate.exe), mass document enumeration across drives, and screenshot capture at regular intervals are all anomalies an EDR configured for process ancestry should flag. On the network: outbound HTTP requests to ipinfo.io from a workstation and high-volume encrypted uploads to Zoho WorkDrive are detectable patterns in a monitored environment. The tooling to catch this exists in most enterprise stacks. Concrete action (DE.CM-09 + DE.CM-01): Confirm your EDR has alerts on process ancestry anomalies for cmd.exe. Add a SIEM rule for outbound requests to ipinfo.io from non-server endpoints. Review whether Zoho WorkDrive is in your list of approved cloud storage destinations — if it is not, anomalous uploads to it should already be alerting.
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: The Hacker News (APT37 Facebook / RokRAT campaign), thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html · Genians Threat Intelligence (APT37 pretexting analysis), genians.co.kr/en/blog/threat_intelligence/pretexting · GBHackers (APT37 Telegram / PDFelement intrusion chain), gbhackers.com/new-targeted-cyberattack/ · CyberPress (APT37 campaign technical detail), cyberpress.org/apt37-social-lure-campaign/ · SecurityWeek (SonicWall and Palo Alto patches), securityweek.com/palo-alto-networks-sonicwall-patch-high-severity-vulnerabilities/ · Cyber Security Agency of Singapore (SonicWall SMA1000 advisory AL-2026-033), csa.gov.sg · Palo Alto Networks Security Advisory (CVE-2026-0234), security.paloaltonetworks.com/CVE-2026-0234 · NIST CSF 2.0 (DE.CM-09, DE.CM-01), nist.gov/cyberframework |
|
