APT37 Deploys NarwhalRAT via Fake Microsoft Security Alerts

North Korean state-sponsored hackers are impersonating Microsoft Account security notifications to trick South Korean targets into installing surveillance malware. The campaign, attributed to APT37 (also known as ScarCruft), deploys a previously undocumented remote access trojan called NarwhalRAT.

The phishing emails claim "abnormal activity" related to repeated one-time password generation, creating urgency around a supposed account compromise. But the attached "documentation" is actually a ZIP archive containing a malicious LNK file that kicks off a multi-stage infection chain.

Attack Methodology

According to analysis from Genians threat intelligence, the attack begins with spear-phishing emails that closely mimic legitimate Microsoft security alerts. The messages warn recipients that someone may be attempting to abuse OTPs associated with their Microsoft Account.

Rather than linking to a phishing page, the emails include a ZIP attachment purportedly containing account security documentation. Inside is an LNK file that, when executed, triggers a batch script chain that ultimately deploys NarwhalRAT.

The malware is compiled Python bytecode hidden behind a .cat file extension—an unusual choice that helps it evade signature-based detection. The payload is decrypted and executed in memory through ctypes, leaving minimal disk artifacts for forensic recovery.

APT37 has refined its social engineering techniques over years of operations, and the Microsoft impersonation represents their latest evolution. Previous campaigns used ticket confirmations, event invitations, and Korean messaging app (KakaoTalk) lures delivered through similar ZIP-archived LNK files.

NarwhalRAT Capabilities

The Python-based RAT is equipped with extensive surveillance functionality:

• Keystroke logging that captures all typed input
• Screenshot capture supporting high-resolution images
• Ambient audio recording via system microphone
• Active window monitoring that logs which applications victims use
• USB media collection that harvests files from connected drives
• Arbitrary command execution from C2 operators
• C2 server switching to maintain access if one relay goes down

The focus on comprehensive surveillance rather than destructive capabilities suggests intelligence collection is the primary objective—consistent with APT37's known mandate of supporting North Korean government interests. The capability set closely resembles other North Korean RATs that prioritize data collection over system disruption.

Command and Control Infrastructure

NarwhalRAT uses a multi-channel approach for C2 communications that complicates blocking and attribution.

The primary relays are compromised Korean websites, including daehoat[.]com and novel21[.]co.kr. Using legitimate but hacked domestic sites helps traffic blend with normal browsing patterns and avoids the reputation flags associated with freshly registered domains.

A secondary channel uses the pCloud cloud storage API as a dead-drop resolver. The malware communicates using 'folderid' and 'auth' parameters to retrieve commands, leveraging the legitimate cloud service to evade network-based detection.

Persistence Mechanism

NarwhalRAT establishes persistence through a scheduled task named "MicrosoftUserInterfacePicturesUpdateTackMachine"—a name designed to look like legitimate Windows update activity at a casual glance. The scheduled task executes CAT files responsible for fetching and running payloads in memory.

The in-memory execution model means the actual malware rarely touches disk after initial infection. This design choice reduces detection opportunities and complicates incident response, since memory-resident implants don't leave the same forensic trail as file-based malware.

Why This Matters

APT37 continues to demonstrate operational maturity, combining social engineering with technical sophistication. The Microsoft impersonation is well-crafted, exploiting the trust users place in security notifications from major platforms. When an email claims your account is compromised, the natural response is to investigate—which is exactly what triggers the infection.

The use of legitimate cloud services for C2 follows a pattern we've seen across multiple APT groups this year. Network defenders can't simply block pCloud without disrupting legitimate business use, and traffic to the service looks indistinguishable from normal file synchronization.

For organizations with exposure to Korean peninsula geopolitics—including government agencies, think tanks, defense contractors, and media organizations covering North Korea—this campaign represents a credible threat. Security awareness training should include examples of sophisticated phishing that impersonates platform security alerts, and email gateways should be configured to flag executable content hidden inside archives.

South Korean organizations should review their scheduled tasks for suspicious entries masquerading as Microsoft processes, and network security teams should consider monitoring traffic to pCloud for anomalous patterns that could indicate C2 activity.