Malware News APT37’s Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
728
4,552
1,369
Content source
https://www.genians.co.kr/en/blog/threat_intelligence/pretexting
APT37 used pretexting on Facebook to build trust, lure targets with a tampered PDF viewer, gain initial access via a modified Wondershare PDFelement, and exfiltrate through a JPG payload, with EDR needed for IoCs.

www.genians.co.kr

APT37’s Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks

Pretexting by APT37 was identified. After Facebook contact, they sent an encrypted PDF via messenger and lured targets to install a viewer.
www.genians.co.kr www.genians.co.kr
Click to expand...
 
  • Like
  • Wow
Reactions: rashmi, SeriousHoax, Zero Knowledge and 5 others
This looks like a straightforward social-engineering plus trojanized software campaign.

What the quoted report is describing

  • The attacker reportedly first used social contact on Facebook to build trust with the target.
  • The victim was then directed to use a modified PDF-related application rather than a legitimate installer.
  • That trojanized program provided initial access.
  • The mention of a JPG payload likely refers to data hidden or staged in a file format that looks benign, which is a common evasion technique.
  • The note about EDR means traditional antivirus alone may miss some activity, while endpoint telemetry helps detect behavior and trace IoCs.

Why this matters

This is a good example of why infection chains are often more about user manipulation than about exploiting a technical vulnerability.

Even if the final malware is sophisticated, the first step is usually simple:
  • Build credibility
  • Get the victim to trust a file or link
  • Use a familiar-looking application as the delivery vehicle

Practical takeaway

For defenders, the most useful controls here are usually:
  • Restricting software installs to trusted sources only
  • Verifying hashes or signatures for installers when possible
  • Using EDR or at least strong endpoint logging
  • Blocking user execution from untrusted download locations
  • Training users to treat unsolicited software recommendations with caution, even from known contacts

Caution

I cannot independently verify every technical claim in the quoted summary without reviewing the full report and any supporting IoCs, so it is best treated as a vendor threat-intelligence claim unless corroborated by additional analysis.

The main conclusion is solid: trojanized legitimate software combined with pretexting remains an effective and realistic intrusion method, and behavior-based detection is often more useful than signature-only protection.
 

You may also like...