The **Genians Security Center (GSC)** has detailed a recent campaign by **ScarCruft**, a prominent North Korean state-sponsored hacking group. The attacks utilize convincing spear-phishing emails that mimic **Microsoft** account security notifications to deliver the previously unknown **NarwhalRAT** malware. According to **GSC**, the deceptive emails are crafted to generate urgency and concern over potential account compromise, urging recipients to open an attached advisory. However, the attachment is not a legitimate document but a ZIP archive containing a malicious LNK file. ### The Deceptive LNK File and Multi-Stage Infection The phishing message claims "abnormal activity" related to repeated one-time password generation, framing it as a third-party phishing attempt against the victim's **Microsoft** account. The ultimate goal is to induce a false sense of urgency, compelling the victim to believe the email is a genuine security alert. Once executed, the LNK file initiates a multi-stage infection chain. This process involves intermediary batch scripts that download and install **NarwhalRAT**. It also retrieves a legitimate **Python** executable from its official website and a **Windows** security catalog (CAT) file. Persistence is established through a scheduled task, which is configured to launch the CAT file. This file is then responsible for fetching and executing the main payload directly in memory, a technique designed to avoid leaving forensic artifacts on disk. ### NarwhalRAT's Extensive Capabilities **NarwhalRAT** is a Python-based Remote Access Trojan (RAT) equipped with a wide array of surveillance and control capabilities, including: * Logging keystrokes * Capturing high-resolution screenshots * Recording ambient audio * Uploading directory contents * Collecting active window details * Gathering data from USB media * Executing commands from a command-and-control (C2) server * Switching C2 servers  ### Evasion Techniques and C2 Infrastructure The malware's name, **NarwhalRAT**, is derived from its use of a hidden directory, "%APPDATA%\naverwhale," to stage harvested information. This directory name is a deliberate attempt to evade detection by masquerading as **Naver Whale**, a popular web browser developed by South Korean tech company **Naver Corporation**. This deployment of **NarwhalRAT** marks a significant shift for **APT37**, which has historically been associated with the **RokRAT** malware family.  From a C2 infrastructure perspective, the malware utilizes Korean websites such as 'daehoat[.]com' and 'novel21[.]co.kr' as primary communication relays. Notably, it also implements communication functionality based on the **pCloud** cloud storage API. **Genians** identified **pCloud**-specific routines within the malware's code that process 'folderid' and 'auth' parameters. This suggests the malware is designed to leverage a legitimate cloud service as a secondary C2 channel, functioning as a [dead drop resolver](https://attack.mitre.org/techniques/T1102/001/). ### Similarities to Past ScarCruft Campaigns **Genians** highlights multiple similarities between this activity and previous Python-based attacks orchestrated by **ScarCruft**. These include spear-phishing campaigns that used ticket confirmation and event invite lures to trick targets into opening ZIP archives containing LNK files. The attack chain in these earlier campaigns also played out similarly: the LNK file served as a conduit for an obfuscated batch script downloaded from a remote C2 server. This script then downloaded the **Python** binary and a CAT file, ultimately deploying a compiled **Python** script capable of remote command execution and exfiltrating results back to the C2 server. Interestingly, the scheduled task names used for persistence also follow a similar naming convention. While the **NarwhalRAT** infection creates a scheduled task named "MicrosoftUserInterfacePicturesUpdateTackMachine," the second chain uses "MicrosoftMusicLibrariesPackageTaskMachine." **Genians** concludes that **NarwhalRAT** is an "advanced RAT malware that integrates a Python-based multi-stage loader, an in-memory execution structure, a multi-C2 operational framework, and selective information collection functions."