The North Korean group ScarCruft (APT37), according to South Korean company Genians Security Center, has launched a new targeted phishing campaign using a previously undocumented remote access trojan NarwhalRAT. The attackers send emails that imitate Microsoft account security notifications, warning about anomalous activity and repeated generation of one-time passwords. The goal is to trick the victim into opening an attached ZIP archive containing a malicious LNK file that starts a multi-stage infection chain. The campaign targets Windows users and poses a serious threat primarily to South Korean organizations.
Initial access mechanism
As Genians reports, the phishing email is formatted as a legitimate Microsoft Account security alert. The body warns the recipient about suspicious activity—alleged phishing attempts by third parties associated with repeated generation of one-time passwords (OTP). The victim is prompted to review the attached “advisory document” and change their password.
The attachment is disguised as an HWP (Hangul Word Processor—the standard document format in South Korea) file but is in fact a ZIP archive containing a malicious LNK file. The tactic relies on creating a false sense of urgency—a classic social engineering technique whose effectiveness increases when the visual style of Microsoft notifications is closely imitated.
Infection chain and persistence techniques
Launching the LNK file triggers a multi-stage infection chain:
- The LNK file activates intermediary batch scripts that download components from a remote control server
- A legitimate Python executable is downloaded from the official website—a technique that makes detection by antivirus solutions more difficult
- At the same time, a Windows security catalog (CAT) file is downloaded and used to deliver the main payload
- Persistence in the system is achieved via a scheduled task named MicrosoftUserInterfacePicturesUpdateTackMachine
- The scheduled task launches the CAT file, which extracts and executes the main payload directly in memory, leaving no artifacts on disk
In-memory execution without writing to disk is a key feature that significantly complicates detection by traditional antivirus analysis and digital forensics.
NarwhalRAT capabilities
According to the researchers, NarwhalRAT is a Python-based remote access trojan with a wide range of data collection capabilities:
- Keystroke logging (keylogging)
- Taking screenshots, including support for high-resolution images
- Recording ambient audio via the microphone
- Exfiltration of directory contents and collection of data from USB media
- Collection of information about active windows
- Execution of commands received from the command-and-control (C2) server
- Dynamic switching between C2 servers
The name NarwhalRAT comes from the path %APPDATA%\naverwhale, which the malware uses for temporary storage of collected data. The hidden directory imitates the folder of the Naver Whale browser developed by South Korean company Naver Corporation—a camouflage technique based on the assumption that administrators and security tools will overlook a familiar name.
Control infrastructure
The malware uses a multi-layer communication scheme with control servers. According to Genians, the following Korean websites are used as primary relays:
- daehoat[.]com
- novel21[.]co.kr
In addition, the code contains routines for interacting with the pCloud cloud storage API that handle the folderid and auth parameters. The researchers classify this as use of a legitimate cloud service as a backup control channel based on the dead drop resolver model (MITRE ATT&CK technique T1102.001). This approach makes it possible to disguise command traffic as ordinary interaction with cloud storage and provides resilience if the primary domains are blocked.
Links to previous campaigns
Genians notes multiple overlaps with previously documented Python-based attacks attributed to ScarCruft. In earlier campaigns, lures included ticket booking confirmations and event invitations delivered via ZIP archives with LNK files. The infection chain followed a similar pattern: the LNK file downloaded an obfuscated batch script, which then downloaded a Python executable and a CAT file, resulting in deployment of a compiled Python script with remote command execution capabilities.
A notable detail is the similar naming convention for scheduled tasks. While NarwhalRAT uses the name MicrosoftUserInterfacePicturesUpdateTackMachine, the task in the previous campaign was named MicrosoftMusicLibrariesPackageTaskMachine. Both strings imitate Microsoft system tasks and follow a common naming pattern.
It is important to note that attribution of the campaign to APT37 and the assessment of NarwhalRAT’s capabilities are based primarily on analysis by a single research center. At the time of publication, there is no independent confirmation from other vendors or government agencies.
Security recommendations
- Attachment filtering: configure mail gateways to block or quarantine ZIP archives containing LNK files. Legitimate Microsoft security notifications do not include attachments of this type
- Monitoring scheduled tasks: track creation of tasks with long names that imitate Microsoft system components, especially those containing word combinations such as “Microsoft*Task*Machine”
- Blocking indicators of compromise: add the domains daehoat[.]com and novel21[.]co.kr to blocklists at the DNS and proxy levels
- Cloud service control: where there is no business need, restrict access to the pCloud API at the network policy level
- Anomaly detection: configure EDR rules to detect downloads of Python executables from the internet followed by script execution, and to monitor creation of hidden directories in %APPDATA% with names that imitate legitimate software
- Staff training: inform employees that genuine Microsoft Account security notifications do not require opening attachments and do not contain ZIP archives
The NarwhalRAT campaign demonstrates the evolution of APT37’s toolkit toward modular Python-based solutions with in-memory execution and multi-channel command infrastructure. Organizations within the group’s potential target set—primarily South Korean government agencies and companies—should prioritize blocking the listed indicators of compromise, configuring monitoring of scheduled tasks, and restricting execution of LNK files from email attachments at the Group Policy level.
