Severity Level: HIGH - Immediate Action Required

The Threat

The North Korean state-sponsored hacking group APT37, also tracked as ScarCruft, has launched a sophisticated multi-stage social engineering campaign using Facebook as its primary delivery channel. Unlike traditional phishing emails, threat actors are sending targets genuine Facebook friend requests, building trust over days or weeks before deploying malware.

Once a connection is established, the attacker uses the trusted relationship to deliver RokRAT - a powerful remote access trojan capable of stealing files, capturing keystrokes, recording audio, exfiltrating credentials, and giving attackers persistent access to the victim's device and network.

This is not a mass phishing campaign. APT37 is known for precision targeting of high-value individuals in government, diplomacy, defence, finance, and critical infrastructure sectors. The source of this alert is The Hacker News (April 2026): thehackernews.com.

Why East Africa Is Exposed

Facebook remains the dominant social media platform across Kenya, Ethiopia, Somalia, Uganda, and Tanzania, including among senior government officials, banking executives, and infrastructure managers. This is not a hypothetical risk - this is exactly the attack surface APT37 seeks to exploit.

East African institutions face compounded exposure for several reasons:

  • High Facebook adoption among decision-makers. Government ministers, central bank officials, and critical infrastructure managers across the Horn of Africa maintain active public Facebook profiles, often mixing professional and personal activity on a single account.
  • Immature social engineering awareness. Most cybersecurity training in the region focuses on email phishing. Very few organizations have security policies that cover social media contact from unknown individuals.
  • High-value intelligence targets. Kenya's role in regional peacekeeping (ATMIS), Ethiopia's geopolitical significance, Somalia's fragile financial system, and Djibouti's strategic port infrastructure all make Horn of Africa officials attractive intelligence targets for nation-state actors.
  • Regulatory exposure. A successful RokRAT compromise at a bank or government institution could trigger breach notification obligations under Kenya's Data Protection Act 2019, CBK cybersecurity guidelines, and sector-specific regulations - carrying both financial and reputational penalties.

What RokRAT Can Do Once Inside Your Network

RokRAT is not basic malware. Once deployed, it gives APT37 operators a persistent, stealthy foothold with capabilities including:

  • Exfiltration of documents, spreadsheets, and confidential communications
  • Real-time keylogging and clipboard capture (capturing passwords, banking credentials, internal system logins)
  • Microphone and camera activation for audio/video surveillance
  • Screenshot capture at set intervals
  • Lateral movement across connected internal networks
  • Cloud storage abuse (OneDrive, Dropbox, Google Drive) to blend exfiltration traffic with normal business activity

A single compromised device belonging to a Treasury official, central bank employee, or power utility administrator could expose entire institutional networks.

Immediate Actions - Do These Now

  • Issue an urgent staff advisory today. Alert all employees - especially senior officials and executives - not to accept Facebook friend requests from unknown individuals, and to report any suspicious connection attempts to your IT or security team immediately.
  • Audit social media policies. If your organization does not have a formal social media security policy, treat this alert as the trigger to draft one. It must cover personal and professional use of platforms including Facebook, LinkedIn, WhatsApp, and Telegram.
  • Deploy endpoint detection and response (EDR) tools. RokRAT is designed to evade legacy antivirus. Ensure endpoints - including personal devices used for work (BYOD) - are covered by modern EDR solutions capable of detecting behavioural anomalies, not just known signatures.
  • Review outbound traffic to cloud storage platforms. RokRAT uses legitimate cloud services for data exfiltration. Configure your SIEM or firewall to flag and inspect unusual volumes of data moving to Google Drive, OneDrive, or Dropbox from internal systems.
  • Conduct targeted phishing simulation including social media scenarios. Test whether your staff would accept a fake LinkedIn or Facebook connection followed by a malicious file download. If you have never run this simulation, you do not know your actual risk exposure.

DRONGO Recommendation

APT37 campaigns succeed because of gaps in human vigilance, endpoint visibility, and network monitoring - three areas where most East African institutions remain under-invested. DRONGO's Managed SOC, Endpoint Detection and Response, and Security Awareness Training programmes are built specifically for government and financial sector environments across the Horn of Africa.

Is your organization protected? Request a free security assessment.