Back to Intelligence

APT37 RokRAT Campaign: Facebook Social Engineering Detection and Hardening Guide

SA
Security Arsenal Team
April 15, 2026
6 min read

A recently observed campaign attributed to the North Korean threat group APT37 (also known as ScarCruft or Reaper) highlights a dangerous shift in initial access vectors. While nation-state actors typically rely on spear-phishing, this specific operation leverages Facebook as a primary social engineering platform. The actors initiate "friend" requests to build trust, ultimately delivering the RokRAT (Remote Access Trojan) payload.

For security practitioners, this represents a significant blind spot. Traditional email gateways and secure web gateways are ineffective against traffic originating from a trusted, whitelisted social media platform. RokRAT is a fully featured surveillance tool capable of exfiltrating data, logging keystrokes, and establishing persistence. Given APT37's historical focus on intelligence gathering, the risk to sensitive intellectual property and strategic data is critical.

Technical Analysis

  • Affected Products & Platforms: Microsoft Windows endpoints (all versions). Attack vector is browser-based (Facebook) leading to local execution.
  • Threat Actor: APT37 (ScarCruft, Reaper). Nation-state sponsor: North Korea (DPRK).
  • Malware Family: RokRAT.
  • Attack Chain:
    1. Social Engineering: Actor adds target on Facebook, engaging in trust-building conversations.
    2. Delivery: Target is tricked into downloading a malicious file (often disguised as a document or job description) hosted via Facebook or linked third-party storage.
    3. Execution: User executes the file (often an LNK or disguised executable). This triggers a multi-stage loader.
    4. C2 & Payload: RokRAT establishes a Command & Control (C2) channel. APT37 is known for abusing legitimate cloud services (e.g., Dropbox, Google Drive, pCloud) for C2 to blend in with normal traffic.
  • Exploitation Status: Active exploitation confirmed in the wild.

Detection & Response

Detecting APT37 activity requires visibility beyond standard email filtering. We must look for the behavioral artifacts of RokRAT, specifically its tendency to abuse cloud storage APIs for C2 and the use of PowerShell for staging.

Sigma Rules

YAML
---
title: Potential RokRAT Cloud Storage C2 Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects suspicious processes accessing cloud storage APIs often abused by RokRAT (Dropbox, pCloud, Google Drive) while masquerading as legitimate system activity.
references:
  - https://attack.mitre.org/software/S0256/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1102.002
logsource:
  category: network_connection
  product: windows
detection:
  selection_cloud:
    DestinationHostname|contains:
      - 'dropbox.com'
      - 'dropboxapi.com'
      - 'pcloud.com'
      - 'content.dropboxapi.com'
      - 'googleusercontent.com'
  selection_process:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
    Initiated: 'true'
  filter_browsers:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  condition: selection_cloud and selection_process and not filter_browsers
falsepositives:
  - Legitimate administrative scripts using cloud APIs
level: high
---
title: Suspicious LNK File Execution from Downloads
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects execution of LNK files from the Downloads directory, a common delivery method for APT37 social engineering campaigns.
references:
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\explorer.exe'
    CommandLine|contains: '\Downloads\'
    CommandLine|contains: '.lnk'
  condition: selection
falsepositives:
  - User opening legitimate shortcuts from Downloads
level: medium

KQL (Microsoft Sentinel / Defender)

The following KQL query hunts for PowerShell processes making network connections to known cloud storage providers, a hallmark of RokRAT C2.

KQL — Microsoft Sentinel / Defender
// Hunt for PowerShell processes connecting to cloud storage (RokRAT TTP)
let CloudDomains = dynamic(['dropbox.com', 'pcloud.com', 'googleapis.com', 'googleusercontent.com']);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (CloudDomains)
| join kind=inner (DeviceProcessEvents 
  | where Timestamp > ago(7d) 
  | where ProcessVersionInfoOriginalFileName =~ 'powershell.exe' or ProcessVersionInfoOriginalFileName =~ 'cmd.exe'
  | distinct InitiatingProcessAccountId, InitiatingProcessCommandLine, DeviceId, FileName) 
  on DeviceId, InitiatingProcessAccountId
| project Timestamp, DeviceName, FileName, InitiatingProcessCommandLine, RemoteUrl, RemotePort
| summarize count() by DeviceName, RemoteUrl, FileName
| order by count_ desc

Velociraptor VQL

This VQL artifact hunts for LNK files in user download directories that may have been created recently as part of the social engineering drop.

VQL — Velociraptor
-- Hunt for LNK files in User Downloads directory created in last 7 days
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs='C:\Users\*\Downloads\*.lnk')
WHERE Mtime < ago(date("-7d"))
-- Optional: Filter for file sizes typical of malicious LNKs (often small)
AND Size < 10000

Remediation Script (PowerShell)

This script aids in the identification of potential RokRAT persistence mechanisms. RokRAT often establishes persistence via Registry Run keys or Scheduled Tasks.

PowerShell
# Audit common persistence locations for APT37/RokRAT activity
# Requires Administrator privileges

function Check-RokRatPersistence {
    Write-Host "[*] Checking Run Keys for Suspicious Entries..." -ForegroundColor Cyan
    
    $Paths = @(
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
    )

    foreach ($Path in $Paths) {
        if (Test-Path $Path) {
            Get-Item -Path $Path | Select-Object -ExpandProperty Property | ForEach-Object {
                $PropValue = (Get-ItemProperty -Path $Path -Name $_).$_
                # Alert if the value points to suspicious common locations (AppData, Temp)
                if ($PropValue -match "AppData" -or $PropValue -match "Temp" -or $PropValue -match "Public\\") {
                    Write-Host "[!] Suspicious Persistence Found: $Path -> $_ : $PropValue" -ForegroundColor Red
                }
            }
        }
    }

    Write-Host "[*] Checking for Suspicious Scheduled Tasks..." -ForegroundColor Cyan
    Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'} | ForEach-Object {
        $Action = $_.Actions.Execute
        if ($Action -match "powershell" -or $Action -match "wscript" -or $Action -match "cmd") {
            $Arg = $_.Actions.Arguments
            if ($Arg -match "DownloadString" -or $Arg -match "EncodedCommand") {
                Write-Host "[!] Suspicious Task: $($_.TaskName)" -ForegroundColor Red
                Write-Host "    Action: $Action $Arg" -ForegroundColor Yellow
            }
        }
    }
}

Check-RokRatPersistence

Remediation

1. User Awareness and Training:

  • Immediately brief users on the specific APT37 campaign targeting Facebook. Emphasize that friend requests from unknown individuals, even those with mutual connections or seemingly legitimate profiles, pose a risk.
  • Advise users never to open documents or executable files downloaded via Facebook chat without independent verification via a secondary channel (e.g., voice call).

2. Network Controls:

  • SSL Inspection: If not already active, enable SSL inspection on the perimeter to detect malware C2 traffic hidden within encrypted connections to cloud storage services.
  • URL Filtering: Enforce strict categorization policies. While Facebook may be allowed for business, consider restricting access to "Personal Network Storage" (Dropbox, pCloud, personal Google Drive) from corporate endpoints unless specifically required. App-ID controls (blocking known cloud storage APIs) are more effective than simple URL blocks.

3. Endpoint Hardening:

  • PowerShell Constrained Language Mode: Enforce Constrained Language Mode for non-administrative users to prevent the execution of complex staging scripts often used by RokRAT.
  • Mark-of-the-Web (MotW): Ensure Microsoft Office and Windows Defender SmartScreen are strictly enforcing policies for files originating from the internet (Zone 3).

4. Incident Response:

  • If an infection is suspected, isolate the host immediately.
  • Revoke all credentials cached on the compromised machine, as RokRAT includes keylogging capabilities.
  • Wipe and re-image the endpoint; RokRAT is sophisticated and may leave hidden persistence mechanisms.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringapt37rokratfacebooksocial-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action