Cybersecurity researchers have uncovered a new phishing campaign by the North Korean state-sponsored threat group ScarCruft (APT37), which is using fraudulent Microsoft security notifications to distribute a sophisticated remote access trojan (RAT) known as NarwhalRAT.
According to findings from the Genians Security Center (GSC), attackers are sending spear-phishing emails that closely resemble legitimate Microsoft account security alerts. The emails warn recipients about suspicious account activity involving repeated one-time password (OTP) generation attempts, creating a sense of urgency and prompting users to open a malicious attachment.
How the Attack Works
The phishing email claims that abnormal activity has been detected on the recipient’s Microsoft account and advises them to review an attached security advisory. However, instead of a legitimate document, the attachment is a ZIP archive containing a malicious Windows shortcut (LNK) file.
Once executed, the LNK file triggers a multi-stage infection process designed to evade detection and establish long-term access to the compromised system.
Infection Chain Breakdown
The attack follows several carefully orchestrated steps:
- The victim opens the malicious LNK file.
- Batch scripts are executed in the background.
- Additional components, including NarwhalRAT, are downloaded.
- A legitimate Python executable is retrieved from the official Python website.
- A Windows security catalog (CAT) file is installed.
- A scheduled task is created to maintain persistence.
- The main malware payload is loaded directly into memory, leaving minimal traces on disk.
This fileless execution approach helps attackers avoid traditional security detection mechanisms.
What Can NarwhalRAT Do?
NarwhalRAT is a Python-based malware designed for extensive surveillance and remote control. Once active, it can:
- Log keystrokes entered by victims
- Capture high-resolution screenshots
- Record ambient audio through connected microphones
- Collect information about active windows and running applications
- Upload files and directory contents
- Gather data from connected USB devices
- Execute commands received from command-and-control (C2) servers
- Switch between multiple C2 servers when needed
These capabilities provide attackers with significant visibility and control over infected systems.
Why the Name “NarwhalRAT”?
Researchers named the malware NarwhalRAT because it stores stolen information inside a hidden directory located at:
%APPDATA%\naverwhale
The folder name mimics Naver Whale, a popular web browser developed by South Korean technology company Naver. By disguising malicious data as legitimate browser files, the malware attempts to avoid raising suspicion among users and security tools.
A Shift Away from RokRAT
APT37 has historically been associated with the RokRAT malware family. The emergence of NarwhalRAT suggests the group is expanding its malware toolkit and adopting more advanced attack techniques.
Researchers note that NarwhalRAT incorporates a modern, Python-based architecture featuring multi-stage loading mechanisms, in-memory execution, and flexible command-and-control capabilities.
Command-and-Control Infrastructure
One notable aspect of the campaign is its use of legitimate and compromised services for communication.
The malware reportedly utilizes Korean websites such as:
- daehoat.com
- novel21.co.kr
These websites act as communication relays between infected systems and attacker-controlled infrastructure.
Additionally, NarwhalRAT integrates support for the pCloud API, enabling attackers to use cloud storage as a secondary communication channel. This “dead drop resolver” technique allows threat actors to hide malicious activity within legitimate cloud services, making detection more challenging.
Similarities to Previous ScarCruft Campaigns
Security analysts observed several similarities between this campaign and previous ScarCruft operations.
Earlier attacks used phishing lures such as:
- Event invitations
- Ticket confirmations
- Official-looking notifications
In many cases, victims were tricked into opening ZIP archives containing malicious LNK files that initiated a nearly identical infection process.
Researchers also identified consistent naming patterns in the scheduled tasks used for persistence. Examples include:
- MicrosoftUserInterfacePicturesUpdateTackMachine
- MicrosoftMusicLibrariesPackageTaskMachine
Such naming conventions are designed to blend in with legitimate Windows system tasks.
Final Thoughts
NarwhalRAT represents a significant evolution in ScarCruft’s cyber-espionage capabilities. By combining spear-phishing tactics, fileless execution, cloud-based command channels, and extensive surveillance features, the malware poses a serious threat to targeted organizations and individuals.
The campaign highlights the continued effectiveness of social engineering attacks and underscores the importance of verifying unexpected security alerts, avoiding suspicious attachments, and maintaining strong endpoint protection measures.
As threat actors continue refining their techniques, organizations must remain vigilant against increasingly sophisticated phishing campaigns and advanced persistent threats (APTs).
