North Korea linked threat group ScarCruft, also tracked as APT37, has been observed deploying a malware strain called NarwhalRAT through spear phishing emails impersonating Microsoft Account security notifications, according to findings published by Genians Security Center (GSC). Researchers stated that the campaign relied on deceptive emails crafted to resemble legitimate Microsoft security alerts warning recipients about suspicious account activity and repeated generation of one time passwords. The phishing messages attempted to create urgency by suggesting a possible compromise attempt against the victim’s Microsoft Account while encouraging users to review an attached advisory and change account credentials. However, instead of containing a legitimate document, the attachment delivered a malicious infection chain designed to install remote access malware capable of extensive surveillance and system control.
According to GSC, the phishing emails instructed recipients to open what appeared to be a Hangul Word Processor document, but the actual attachment was a ZIP archive containing a malicious Windows shortcut file with an LNK extension. Once opened, the LNK file triggered a multi stage infection process that relied on intermediary batch scripts to download and install NarwhalRAT. Researchers found that the attack chain also retrieved a legitimate Python executable from the official website along with a Windows security catalog file to support execution. To maintain persistence on infected systems, the malware created scheduled tasks configured to execute the catalog file, which then fetched and ran the primary payload directly in memory rather than storing it on disk. This in memory execution approach was designed to reduce forensic traces and complicate detection by conventional security monitoring systems. GSC noted that the phishing campaign used language intended to generate concern regarding one time password abuse, making victims more likely to interpret the emails as genuine Microsoft security notifications.
Researchers stated that NarwhalRAT possesses extensive capabilities that allow operators to monitor and collect sensitive information from compromised systems. The Python based malware can record keystrokes, capture screenshots including high resolution images, gather active window details, upload directory contents, collect information from USB storage devices, record surrounding audio, execute commands issued through command and control infrastructure, and dynamically switch communication servers when required. The malware derives its name from its use of a hidden directory located in the system path “%APPDATA%\naverwhale,” which is used to stage stolen information before exfiltration. According to researchers, the directory naming convention appears designed to mimic Naver Whale, a legitimate web browser developed by South Korean technology company Naver Corporation, in an apparent effort to avoid suspicion during security reviews. Security analysts noted that ScarCruft’s use of NarwhalRAT represents a departure from RokRAT, a malware family historically associated with the group, indicating an evolution in operational tooling and attack techniques.
GSC also identified similarities between the newly observed activity and earlier Python based campaigns attributed to ScarCruft, including operations that used ticket confirmations and event invitation themes to trick targets into opening ZIP files containing malicious LNK attachments. Researchers observed that the broader infection pattern remained consistent, with obfuscated batch scripts downloaded from remote command and control infrastructure later installing Python components and malware payloads capable of remote command execution. From an infrastructure perspective, NarwhalRAT reportedly used South Korean websites such as daehoat[.]com and novel21[.]co.kr as communication relays while integrating pCloud cloud storage API functionality as an additional command and control mechanism. GSC stated that malware code contained routines associated with pCloud authentication and folder management, indicating that legitimate cloud services may have been used as secondary communication channels. Researchers also identified similarities in persistence techniques, including scheduled task names such as “MicrosoftUserInterfacePicturesUpdateTackMachine” and “MicrosoftMusicLibrariesPackageTaskMachine,” reflecting consistent naming conventions across related ScarCruft campaigns.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
