A high-severity threat intelligence report filed on April 16, 2026, flagged a new campaign from North Korea’s APT37 group — the state-sponsored threat actor also known as ScarCruft — using Facebook as the delivery vehicle for RokRAT malware. The tactic represents a measurable shift in how nation-state actors are reaching targets, and it has immediate implications for any small business whose team uses social media professionally.

If your employees talk to recruiters, journalists, or industry contacts on Facebook, LinkedIn, or WhatsApp, this one needs a response.

—

What Is APT37 and Why Small Businesses Should Care

APT37 is a North Korean threat group that has operated under several names — ScarCruft, Reaper, Group123 — since at least 2012. Historically the group focused on strategic targets in South Korea, defense contractors, diplomatic organizations, and human rights groups. Its toolkit has always been more sophisticated than opportunistic cybercrime, featuring custom malware, zero-day exploitation, and patient multi-week reconnaissance.

Here is why this matters outside those traditional targets. Nation-state toolkits do not stay contained. The tools APT37 uses today become the playbooks cybercriminals use against small businesses in 6 to 12 months. The Facebook social engineering technique being documented this week is already spreading — threat analysts expect copycat campaigns to hit accounting firms, law offices, and managed service providers by summer.

Small and mid-sized businesses are attractive secondary targets because they often have privileged access to larger clients, weaker email and social media monitoring, and less budget for cybersecurity awareness training.

—

How the Facebook RokRAT Attack Works

The attack chain APT37 is running is low-tech in its social layer and technically sophisticated in its payload. The sequence that investigators have documented looks like this:

1. Reconnaissance. The attacker identifies a target employee — often through LinkedIn — then creates or repurposes a Facebook profile that looks professionally relevant (a recruiter for a legitimate firm, a freelance journalist, or a peer in the same industry).
2. Rapport building. The fake account sends a connection request with a plausible reason, then exchanges several days of conversation. The messages are polite, on-topic, and specifically tailored to the victim’s job function.
3. Pretext for the payload. The attacker asks the victim to review a document, a slide deck, a job description, or interview questions. The file arrives as a RAR or ZIP archive, occasionally as a Windows shortcut (LNK) file.
4. Execution. Opening the archive runs RokRAT, a remote access trojan that installs quietly and begins operating in the background.
5. Long-term access. RokRAT performs credential harvesting, screenshot capture, keylogging, and file exfiltration. It hides its command-and-control traffic inside normal-looking connections to cloud services like Dropbox and pCloud — a living-off-the-land technique that most signature-based antivirus tools cannot flag.

Typical dwell time for this class of campaign is more than 180 days. By the time anyone notices, the attackers have credentials, customer records, banking details, and, in many cases, a way back in even after the malware is removed.

—

Why Facebook Is a Dangerous Attack Surface for Businesses

Email security has improved substantially for small businesses over the last five years. email security for small business Most modern email platforms block malicious attachments, flag impersonation attempts, and sandbox suspicious links. Facebook Messenger, LinkedIn InMail, and WhatsApp do none of that with anywhere near the same rigor.

Three factors make social media the weak link in 2026:

• No corporate security layer. Personal social accounts route messages through personal devices and consumer-grade security, not the company’s email gateway or EDR.
• Trust by default. Employees are conditioned to be suspicious of email. Most still treat a friendly LinkedIn connection as low risk.
• File-sharing is normalized. Recruiters, journalists, and consultants legitimately exchange documents over these channels all the time, so a RAR attachment from a “journalist” does not look out of place.

The practical risk is that an employee’s personal Facebook account becomes a delivery channel into your corporate network the moment they open that archive on a work laptop.

—

—

What Small Businesses Should Do This Week

If you have not already, take these three actions now.

1. Publish or refresh a social media security policy. Work documents do not belong in personal DMs. A one-paragraph policy that says “Files related to clients, finances, or operations must be exchanged only over company email or approved business channels” is enough to start. Circulate it, date it, and have your team acknowledge it in writing.

2. Audit your endpoint protection. Signature-based antivirus cannot reliably stop a RokRAT-class payload. At minimum, every company-owned device needs endpoint detection and response (EDR) that watches for behavioral indicators — a Word document that spawns PowerShell, an archive file that extracts and runs a binary, an outbound connection to an unfamiliar cloud storage host. Managed detection and response (MDR) layers a 24/7 human SOC on top of that, which most small businesses cannot staff internally. managed security services for small business

3. Retrain your team on cross-channel phishing. If your last phishing awareness training focused only on email, update it this month. Include examples of LinkedIn recruiter scams, Facebook DM pretexts, and WhatsApp voice-message phishing. Your people are smart — they just have not been trained to be skeptical in the same way on social platforms as they are on email.

The businesses that get hit hardest in 2026 are not the ones with no security. They are the ones whose security was sized for 2022’s threat landscape.

—