Friend Request From Pyongyang: How North Korean Hackers Are Targeting University Communities

Share this content

April 13, 2026

Friend Request From Pyongyang: How North Korean Hackers Are Targeting University Communities

APT37—North Korea's state-sponsored cyber unit—is sending fake Facebook friend requests to researchers, faculty, and academic professionals as the opening move in a multi-stage malware campaign. Here's what the UT RSOC community needs to know.

A freshly attributed campaign from North Korean threat actor APT37 (also known as ScarCruft or Group123) is using some of the most ordinary digital touchpoints in academic life—social media friend requests—as the entry point for sophisticated cyberespionage. The campaign, analyzed this week by security researchers and flagged in threat intelligence feeds shared with the UT RSOC team, is specifically designed to exploit the professional networking habits of researchers, policy analysts, and academic staff.

Unlike the phishing emails that most security trainings warn about, this campaign starts with an apparently routine Facebook friend request—and by the time a malicious payload arrives, the target has often been engaged in conversation for days or even weeks.

How the Attack Unfolds

  • 1 Fake Profile — Initial Contact Attackers create Facebook accounts with locations set to North Korean cities (Pyongyang, Pyongsong). They send friend requests to academics, government-adjacent researchers, and defense-policy professionals. The accounts appear plausible at a glance. 
  • 2 Trust-Building via Messenger & Telegram Once accepted, conversation moves to Messenger and eventually Telegram. Attackers use pretexting—posing as colleagues, journalists, or think-tank contacts—and discuss topics relevant to the target's research area to build credibility over time. 
  • 3 Trojanized Software Delivery The target is sent a ZIP archive containing a tampered version of Wondershare PDFelement along with PDF documents, with instructions to install the software to open "encrypted research files." The installer appears legitimate. 
  • 4 RokRAT Malware Deployment Launching the installer triggers embedded shellcode that connects to a compromised C2 server and retrieves a second-stage payload disguised as a JPG image—a tactic designed to evade endpoint detection tools. The final payload is RokRAT. 

  • 5 Silent Exfiltration RokRAT abuses Zoho WorkDrive as its command-and-control channel—a legitimate cloud service that rarely triggers enterprise network alerts. The malware captures screenshots, runs system commands, harvests credentials, and exfiltrates research data. 

    new photo

Why the Texas Higher Education Community Is at Risk

APT37 has a documented history of targeting academics, policy researchers, journalists, and human rights advocates—particularly those working on topics of strategic interest to Pyongyang, including Korean Peninsula security, nuclear nonproliferation, sanctions, and defense technology. Texas institutions host world-class research programs in many of these areas, and their students and faculty represent exactly the profile APT37 seeks.

The use of everyday platforms like Facebook removes the technical barrier to compromise. A researcher doesn't need to click a malicious email link or visit a spoofed website—just accepting a friend request and later downloading what appears to be a productivity tool is sufficient. This is particularly concerning in academic environments where open collaboration and cross-institutional networking are the norm.

⚠ What to Watch For Be skeptical of unsolicited social media connection requests from individuals you don't personally know—especially if they claim an interest in your research, reference shared professional circles you can't verify, or quickly move conversations off-platform to Telegram or WhatsApp. Never install software sent through a social channel to "open" a document.

Indicators of Compromise

TypeIndicatorNote
Facebook Accountrichardmichael0828Known attacker persona; location: Pyongyang
Facebook Accountjohnsophia0414Known attacker persona; location: Pyongsong
C2 Domainjapanroom[.]comCompromised site used for stage-2 payload delivery
Payload File1288247428101.jpgRokRAT disguised as JPG; dropped from C2
Trojanized InstallerWondershare PDFelementLegitimate software tampered with malicious shellcode
C2 ChannelZoho WorkDrive (legitimate)Abused as covert command channel by RokRAT

Recommended Actions for RSOC Constituents

  • Brief faculty, researchers, and graduate students on this campaign. Academic communities are the primary target—awareness is the most effective control.
  • Remind staff and students to verify the identity of any new social media contacts before engaging, especially those expressing interest in ongoing research or requesting document exchanges.
  • Instruct users to never install software received through social messaging platforms, regardless of how legitimate it appears.
  • Add japanroom[.]com to DNS blocklists and review proxy/firewall logs for any outbound connections to this domain.
  • Monitor endpoint telemetry for PDF-related application installs outside of approved software channels (Wondershare PDFelement as a delivery vector).
  • Review cloud storage integrations—particularly Zoho WorkDrive—for any anomalous API activity or unexpected connections from endpoints.
ℹ RSOC Note This campaign was flagged in UT RSOC threat intelligence feeds this week. Member institutions with questions about detection coverage or indicators should contact the RSOC analyst team at rsoc@utexas.edu. MITRE ATT&CK techniques: T1566 (Phishing), T1204 (User Execution), T1059 (Command and Scripting Interpreter), T1041 (Exfiltration over C2).
APT37 North Korea Social Engineering RokRAT Higher Education Threat Intelligence TLP:GREEN