Recent Telegram intelligence highlights a surge in state-sponsored cyber activity targeting critical infrastructure, supply chains, and corporate networks. Two major threat vectors are active:
- DPRK Operations (APT37 & affiliates): Evolving beyond standard phishing to abuse social media (Facebook) and legitimate developer platforms (GitHub) for Command & Control (C2). They are utilizing trojanized applications to deploy RokRAT and leveraging PowerShell for persistence.
- Russian Operations (APT28): Escalating offensive capabilities in the Ukraine theater with the deployment of PRISMEX malware and zero-day exploits (CVE-2026-21513, CVE-2026-21509) delivered via malicious LNK files.
Collectively, these posts signal a shift toward "Living off the Land" (LotL) tactics using trusted services like Zoho WorkDrive and GitHub to bypass network defenses, combined with high-impact zero-day exploitation for supply chain disruption.
Raw Intelligence Analysis
- Post 1 (APT37): Confirms APT37 (Lazarus Group) is using "social engineering 2.0" by building trust on Facebook before moving victims to Telegram. The delivery of a trojanized PDF app installing RokRAT via a JPG payload indicates sophistication in obfuscation. The use of Zoho WorkDrive for C2 is a specific TTP to blend in with legitimate traffic.
- Post 2 (APT28): Indicates a critical threat level with the confirmation of two zero-days (CVE-2026-21513, CVE-2026-21509). The use of LNK files to chain exploits suggests an initial access vector focused on credential harvesting (theft) and operational destruction (file-wiping via PRISMEX).
- Post 3 (DPRK): Corroborates the trend of DPRK actors using GitHub repositories as C2 infrastructure. The use of LNK files to trigger hidden PowerShell scripts aligns with persistence mechanisms seen in other campaigns (e.g., Moonstone Sleet), aiming for data exfiltration to attacker-controlled repos.
Threat Actor / Tool Profile
- APT37 (Reaper/ScarCruft):
- Malware: RokRAT.
- Delivery: Facebook social engineering -> Telegram -> Trojanized PDF App.
- Payload: JPG payload (steganography).
- C2: Zoho WorkDrive.
- APT28 (Fancy Bear):
- Malware: PRISMEX.
- Exploits: CVE-2026-21513, CVE-2026-21509.
- Delivery: Malicious LNK files.
- Capability: Data theft and file-wiping.
- DPRK Generic (likely Kimsuky/Andariel):
- Infrastructure: GitHub (used as C2).
- Delivery: Phishing with LNK attachments.
- Mechanism: LNK triggers PowerShell -> Persistence -> Exfil.
Detection Engineering
Sigma Rules
YAML
---
title: Suspicious PowerShell Execution via LNK File
id: 6b993f7a-1a2b-3c4d-5e6f-7a8b9c0d1e2f
description: Detects PowerShell execution initiated by LNK files, a common vector for APT37 and APT28 initial access.
status: stable
author: Security Arsenal
date: 2026/04/14
references:
- https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html
- https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: 'powershell.exe'
ParentCommandLine|contains: '.lnk'
condition: selection
falsepositives:
- Legitimate system administration scripts
level: high
tags:
- attack.execution
- attack.initial_access
- apt37
- apt28
---
title: Non-Browser Process Connecting to GitHub
id: 8c0a1e2f-3b4d-5c6e-7f8a-9b0c1d2e3f4a
description: Detects non-browser processes connecting to GitHub domains, indicating potential C2 activity observed in DPRK campaigns.
status: stable
author: Security Arsenal
date: 2026/04/14
references:
- https://thehackernews.com/2026/04/dprk-linked-hackers-use-github-as-c2-in.html
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'github.com'
- 'api.github.com'
- 'raw.githubusercontent.com'
filter:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\edge.exe'
- '\msedge.exe'
- '\opera.exe'
- '\git.exe'
- '\githubdesktop.exe'
condition: selection and not filter
falsepositives:
- Developer tools using Git
level: medium
tags:
- attack.command_and_control
- apt37
---
title: PDF Reader Spawning Suspicious Child Process
id: 9d1b2f3a-4c5d-6e7f-8a9b-0c1d2e3f4a5b
description: Detects PDF readers spawning cmd, powershell, or wscript, associated with trojanized PDF app campaigns (RokRAT).
status: stable
author: Security Arsenal
date: 2026/04/14
references:
- https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|contains:
- '\AcroRd32.exe'
- '\FoxitPDFReader.exe'
- '\pdfviewer.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate PDF form actions
level: high
tags:
- attack.initial_access
- attack.execution
- rokrat
KQL Hunt Query
KQL — Microsoft Sentinel / Defender
// Hunt for LNK files triggering PowerShell or suspicious network connections
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~("powershell.exe", "cmd.exe")
| where InitiatingProcessCommandLine contains ".lnk"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| extend IoCLink = extract(@".*\\(.*\.lnk).*", 1, InitiatingProcessCommandLine)
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
Hunt for indications of APT37/28 activity (LNK abuse, GitHub C2).
#>
Write-Host "[*] Checking for recent LNK files in User Downloads/AppData..." -ForegroundColor Cyan
$paths = @("$env:USERPROFILE\Downloads", "$env:APPDATA")
$recentFiles = Get-ChildItem -Path $paths -Filter *.lnk -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-3) }
if ($recentFiles) {
Write-Host "[!] Found recent LNK files:" -ForegroundColor Yellow
$recentFiles | Select-Object FullName, LastWriteTime
} else {
Write-Host "[-] No recent LNK files found." -ForegroundColor Green
}
Write-Host "`n[*] Checking for non-standard processes connecting to GitHub..." -ForegroundColor Cyan
$githubProcs = Get-NetTCPConnection |
Where-Object {
($_.State -eq "Established") -and
$_.RemoteAddress -ne "0.0.0.0" -and
(Resolve-DnsName -Name $_.RemoteAddress -ErrorAction SilentlyContinue |
Where-Object { $_.NameHost -like "*github*" })
}
if ($githubProcs) {
Write-Host "[!] Active GitHub connections found. Investigate PID:" -ForegroundColor Yellow
$githubProcs | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
if ($proc.ProcessName -notin @("chrome", "msedge", "firefox", "git", "GitHubDesktop")) {
Write-Host "Process: $($proc.ProcessName) PID: $($proc.Id) Remote: $($_.RemoteAddress)"
}
}
} else {
Write-Host "[-] No suspicious GitHub connections detected." -ForegroundColor Green
}
# Response Priorities
* **Immediate (0–4 hours):**
* Block access to `zoho.com` and `github.com` for non-approved business accounts immediately.
* Isolate any endpoints identified in threat hunts with LNK-initiated PowerShell chains.
* **Same-day (4–24 hours):**
* Conduct a sweep for the specific CVE-2026-21513 and CVE-2026-21509 exploitation attempts on perimeter logs.
* Review firewall/proxy logs for connections to Zoho WorkDrive or GitHub `raw` content repositories from internal hosts.
* **This week:**
* Patch vulnerabilities CVE-2026-21513 and CVE-2026-21509 once vendor patches are available (or apply mitigations).
* Issue an internal security advisory warning users about "PDF Viewer" updates distributed via social media channels (Facebook/Telegram).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebtelegram-inteldarkweb-aptapt37apt28rokratprismexgithub-c2
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.