PULSE NAME
Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks
WHITE APT37 AlienVault 2026-04-14 Modified: 2026-04-14
21
IOCs
MEDIUM VOLUME
APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.
Indicators of Compromise (6 / 21 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain email hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 085128b4e96633c82beb2101f5c525e4 2026-04-14
FileHash-MD5 28d0143718153bf04c1919a26bb70c2d 2026-04-14
FileHash-MD5 36be2cbb59cd1c3f745d5f80f9aee21c 2026-04-14
FileHash-MD5 c637b3e7d74c2d678663454d16311b15 2026-04-14
FileHash-MD5 c681fe3f42e82e9240afe97c23971cbc 2026-04-14
FileHash-MD5 d44a22d2c969988a65c7d927e22364c8 2026-04-14